[Swan] Failover VPN subnet to subnet using different links
antonio
asilva at wirelessmundi.com
Mon Jul 17 14:13:21 EEST 2023
Hi,
I finally did it with 4 tunnels and configured routing rules to reach each side.
Tunel1: host - subnet
192.168.100.1 <--> 192.168.200.1 subnet: 172.16.10.0/24
Tunel2: host - subnet
192.168.300.1 <--> 192.168.400.1 subnet: 172.16.10.0/24
Tunel3: subnet - host
192.168.100.1 subnet 172.16.20.0/24 <--> 192.168.200.1
Tunel4: subnet - host
192.168.300.1 subnet 172.16.20.0/24 <--> 192.168.400.1
I did a bash script that detects the status of the connection and set the routing rule on failure/success.
To avoid having an external monitoring script, Is it possible to have all the simultaneous connections and only with DPD + priority to handle the availability of the connection?
Thanks.
—
Saludos / Regards / Cumprimentos
António Silva
> On 13 Jul 2023, at 17:11, antonio <asilva at wirelessmundi.com> wrote:
>
> Hi,
>
> I’m trying to establish a failover vpn using different links but same subnets:
>
> Tunnel1: 192.168.100.1 <--> 192.168.200.1
> 172.16.20.0/24 <--> 172.16.10.0/24
>
> Tunnel1: 192.168.300.1 <--> 192.168.400.1
> 172.16.20.0/24 <--> 172.16.10.0/24
>
>
> If tunnel1 is down the traffic between the subnets will got via tunnel2, and when tunnel1 is up again, the traffic will go via tunnel1.
>
>
> But, when the second tunnel is up I got the error message:
>
> Jul 13 12:45:14 vm pluto[15813]: "tunnel2" #13: cannot install kernel policy -- it is in use for "tunnel1"
> Jul 13 12:45:14 vm pluto[15813]: "tunnel2" #13: state transition function for STATE_QUICK_R0 had internal error
>
>
> My configuration is:
>
> conn tunnel1
> pfs=no
> type=tunnel
> auto=start
> ikev2=no
> phase2=esp
> authby=secret
> keyingtries=3
> ikelifetime=8h
> salifetime=8h
> left=192.168.100.1
> leftsubnet=172.16.20.0/24
> leftid=192.168.100.1
> right=192.168.200.1
> rightsubnet=172.16.10.0/24
> rightid=192.168.200.1
> dpddelay=30
> dpdtimeout=60
> dpdaction=hold
>
> conn tunnel2
> pfs=no
> type=tunnel
> auto=start
> ikev2=no
> phase2=esp
> authby=secret
> keyingtries=3
> ikelifetime=8h
> salifetime=8h
> left=192.168.300.1
> leftsubnet=172.16.20.0/24
> leftid=192.168.300.1
> right=192.168.400.1
> rightsubnet=172.16.10.0/24
> rightid=192.168.400.1
> dpddelay=30
> dpdtimeout=60
> dpdaction=hold
>
>
> I try libreswan git version, setting different priority in the configuration, but got the same result, the second tunnel is not up.
> I installed from a Debian package using make deb.
>
> Can’t it be done? Or I should avoid this setup and use routing base vpn?
>
>
> Thanks
>
>
> —
> Saludos / Regards / Cumprimentos
> António Silva
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230717/f60964a0/attachment.htm>
More information about the Swan
mailing list