[Swan] Failover VPN subnet to subnet using different links
Paul Wouters
paul at nohats.ca
Wed Jul 19 19:59:50 EEST 2023
On Mon, 17 Jul 2023, antonio wrote:
> Subject: Re: [Swan] Failover VPN subnet to subnet using different links
>
> Hi,
> I finally did it with 4 tunnels and configured routing rules to reach each side.
>
> Tunel1: host - subnet
> 192.168.100.1 <--> 192.168.200.1 subnet: 172.16.10.0/24
>
> Tunel2: host - subnet
> 192.168.300.1 <--> 192.168.400.1 subnet: 172.16.10.0/24
>
> Tunel3: subnet - host
> 192.168.100.1 subnet 172.16.20.0/24 <--> 192.168.200.1
>
> Tunel4: subnet - host
> 192.168.300.1 subnet 172.16.20.0/24 <--> 192.168.400.1
If you set leftsourceip=192.168.100.1 and leftsourceip=192.168.300.1,
then you can reduce those 4 tunnels to 2 tunnels, you won't need the
host-subnet tunnels.
> To avoid having an external monitoring script, Is it possible to have all the simultaneous connections and only with DPD + priority
> to handle the availability of the connection?
I'm having difficulty reading that sentence. DPD works on a per-peer
basis, but is triggers on a per (idle) connection basis.
If you set the priority, your favourite tunnel should "win" at the XFRM
level. Once DPD kicks in, the tunnel will be removed from kernel XFRM
state and so the other tunnel should receive the packet for encryption
and sending.
Paul
More information about the Swan
mailing list