[Swan] Failover VPN subnet to subnet using different links
antonio
asilva at wirelessmundi.com
Wed Jul 26 18:25:47 EEST 2023
Hi Paul,
Thanks for the reply.
Sorry I couldn’t explain my self better, I will try again :)
In my setup I’m trying to have a full redundancy subnet to subnet tunnel using only ipsec tunnels between two servers.
The two servers managed two different internet providers, if one of them fails the connection between the subnets is not interrupted, at least one of the links should be UP.
I’ve setup a virtual environment with two debian hosts, to capture logs and reproduce better the entire setup.
I’m using libreswan version 4.11, but if you want I can install the git version.
VM1:
ip 192.168.100.1 * link provider 1
ip 192.168.200.1 * link provider 2
ip 172.16.20.1 * the subnet
VM2:
ip 192.168.100.2 * link provider 1
ip 192.168.200.2 * link provider 2
ip 172.16.10.1 * the subnet
For a full redundancy on 2 links I need 4 tunnels:
tunnel1
192.168.100.1 <---> 192.168.100.2
172.16.20.0 < = > 172.16.10.0
priority 1
tunnel2
192.168.200.1 <---> 192.168.200.2
172.16.20.0 < = > 172.16.10.0
priority 2
tunnel3
192.168.200.1 <---> 192.168.100.2
172.16.20.0 < = > 172.16.10.0
priority 3
tunnel4
192.168.100.1 <---> 192.168.200.2
172.16.20.0 < = > 172.16.10.0
priority 4
tunnel1 and tunnel2 are UP. I’ve set priority 1 to tunnel1 but the XFRM rules are from tunnel2.
[16:51:39][lab2][/etc/ipsec.d]# ip xfrm p
src 172.16.20.0/24 dst 172.16.10.0/24
dir out priority 2 ptype main
tmpl src 192.168.200.1 dst 192.168.200.2
proto esp reqid 16393 mode tunnel
src 172.16.10.0/24 dst 172.16.20.0/24
dir fwd priority 2 ptype main
tmpl src 192.168.200.2 dst 192.168.200.1
proto esp reqid 16393 mode tunnel
src 172.16.10.0/24 dst 172.16.20.0/24
dir in priority 2 ptype main
tmpl src 192.168.200.2 dst 192.168.200.1
proto esp reqid 16393 mode tunnel
The last tunnel got up is the one that “wins” the XFRM. Not sure what is wrong with the priority, from the man page "A lower value means a higher priority. “.
I’ve configure DPD:
dpddelay=10
dpdtimeout=30
dpdaction=restart
I ‘ve drop the connection on the remote VM, I see the DPD messages, but the XFRM polices don’t change.
Ipsec whack ---status
000 Connection list:
000
000 "tunnel1": 172.16.20.0/24===192.168.100.1...192.168.100.2===172.16.10.0/24; erouted; eroute owner: #3
000 "tunnel1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tunnel1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tunnel1": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "tunnel1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tunnel1": sec_label:unset;
000 "tunnel1": ike_life: 3600s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "tunnel1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tunnel1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tunnel1": policy: IKEv1+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tunnel1": conn_prio: 24,24; interface: enp0s8; metric: 0; mtu: unset; sa_prio:1; sa_tfc:none;
000 "tunnel1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tunnel1": our idtype: ID_IPV4_ADDR; our id=192.168.100.1; their idtype: ID_IPV4_ADDR; their id=192.168.100.2
000 "tunnel1": dpd: active; action:restart; delay:10s; timeout:30s
000 "tunnel1": nat-traversal: encaps:auto; keepalive:20s; ikev1-method:rfc+drafts
000 "tunnel1": newest ISAKMP SA: #1; newest IPsec SA: #3; conn serial: $1;
000 "tunnel1": IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048
000 "tunnel1": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=<N/A>
000 "tunnel2": 172.16.20.0/24===192.168.200.1...192.168.200.2===172.16.10.0/24; prospective erouted; eroute owner: #0
000 "tunnel2": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tunnel2": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tunnel2": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "tunnel2": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tunnel2": sec_label:unset;
000 "tunnel2": ike_life: 3600s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "tunnel2": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tunnel2": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tunnel2": policy: IKEv1+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tunnel2": conn_prio: 24,24; interface: enp0s9; metric: 0; mtu: unset; sa_prio:2; sa_tfc:none;
000 "tunnel2": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tunnel2": our idtype: ID_IPV4_ADDR; our id=192.168.200.1; their idtype: ID_IPV4_ADDR; their id=192.168.200.2
000 "tunnel2": dpd: active; action:restart; delay:10s; timeout:30s
000 "tunnel2": nat-traversal: encaps:auto; keepalive:20s; ikev1-method:rfc+drafts
000 "tunnel2": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $2;
000
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(3), half-open(1), open(1), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "tunnel1":500 STATE_MAIN_I4 (IKE SA established); REPLACE in 2535s; newest; lastdpd=7s(seq in:5540 out:0); idle;
000 #3: "tunnel1":500 STATE_QUICK_I2 (IPsec SA established); REPLACE in 2562s; newest; eroute owner; ISAKMP SA #1; idle;
000 #3: "tunnel1" esp.c8fffb16 at 192.168.100.2 esp.87bef58e at 192.168.100.1 tun.0 at 192.168.100.2 tun.0 at 192.168.100.1 Traffic: ESPin=0B ESPout=84B ESPmax=2^63B
000 #12: "tunnel2":500 STATE_MAIN_R1 (sent Main Mode R1); DISCARD in 2s; lastdpd=-1s(seq in:0 out:0); idle;
000 #13: "tunnel2":500 STATE_MAIN_I1 (sent Main Mode request); RETRANSMIT in 0s; nodpd; idle;
000 #13: pending Phase 2 for "tunnel2"
000
000 Bare Shunt list:
XFRM P:
[16:56:43][lab2][/etc/ipsec.d]# ip xfrm p
src 172.16.20.0/24 dst 172.16.10.0/24
dir out priority 2 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
XFRM S:
[17:01:08][lab2][/etc/ipsec.d]# ip xfrm s
src 172.16.20.1 dst 172.16.10.1
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 172.16.20.1/32 dst 172.16.10.1/32 proto icmp type 8 code 0 dev enp0s3
src 192.168.100.2 dst 192.168.100.1
proto esp spi 0x87bef58e reqid 16389 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0x479224f3839ec5dc99b9b238bdfddad88ded0390 96
enc cbc(aes) 0x75ac526accf333cc3f9db5e86e2a6a5a
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
src 192.168.100.1 dst 192.168.100.2
proto esp spi 0xc8fffb16 reqid 16389 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0x014b31474e03a725576622e774a9e76f8769ad20 96
enc cbc(aes) 0x8134cc311830cd4c9e3ad7d7f570fe07
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x1
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
When I remove the drop rule on remote side, the tunnel2 is up and XFRM P are added again for tunnel 2.
[16:59:32][commsmundi][/etc/ipsec.d]# ip xfrm p
src 172.16.20.0/24 dst 172.16.10.0/24
dir out priority 2 ptype main
tmpl src 192.168.200.1 dst 192.168.200.2
proto esp reqid 16393 mode tunnel
src 172.16.10.0/24 dst 172.16.20.0/24
dir fwd priority 2 ptype main
tmpl src 192.168.200.2 dst 192.168.200.1
proto esp reqid 16393 mode tunnel
src 172.16.10.0/24 dst 172.16.20.0/24
dir in priority 2 ptype main
tmpl src 192.168.200.2 dst 192.168.200.1
proto esp reqid 16393 mode tunnel
For tunnel3 and tunnel4 I also have another issues, it keeps re-connecting… sometimes it connects tunnel1 and tunnel3, I restart ipsec and now it connects tunnel2 and tunnel4…
Ipsec whack —status
[17:20:20][lab2][/etc/ipsec.d]# ipsec whack --status
000 using kernel interface: xfrm
000
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface enp0s3 UDP 192.168.10.26:4500
000 interface enp0s3 UDP 192.168.10.26:500
000 interface enp0s3 UDP 172.16.20.1:4500
000 interface enp0s3 UDP 172.16.20.1:500
000 interface enp0s8 UDP 192.168.100.1:4500
000 interface enp0s8 UDP 192.168.100.1:500
000 interface enp0s9 UDP 192.168.200.1:4500
000 interface enp0s9 UDP 192.168.200.1:500
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/var/lib/ipsec/nss, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/usr/share/dns/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=4.11-1, pluto_vendorid=OE-Libreswan-4.11-1, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, <unset-subnet>
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "tunnel1": 172.16.20.0/24===192.168.100.1...192.168.100.2===172.16.10.0/24; erouted; eroute owner: #2054
000 "tunnel1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tunnel1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tunnel1": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "tunnel1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tunnel1": sec_label:unset;
000 "tunnel1": ike_life: 3600s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "tunnel1": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tunnel1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tunnel1": policy: IKEv1+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tunnel1": conn_prio: 24,24; interface: enp0s8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "tunnel1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tunnel1": our idtype: ID_IPV4_ADDR; our id=192.168.100.1; their idtype: ID_IPV4_ADDR; their id=192.168.100.2
000 "tunnel1": dpd: active; action:restart; delay:10s; timeout:30s
000 "tunnel1": nat-traversal: encaps:auto; keepalive:20s; ikev1-method:rfc+drafts
000 "tunnel1": newest ISAKMP SA: #2052; newest IPsec SA: #2054; conn serial: $1;
000 "tunnel1": IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048
000 "tunnel1": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=<N/A>
000 "tunnel2": 172.16.20.0/24===192.168.200.1...192.168.200.2===172.16.10.0/24; unrouted; eroute owner: #0
000 "tunnel2": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tunnel2": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tunnel2": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "tunnel2": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tunnel2": sec_label:unset;
000 "tunnel2": ike_life: 3600s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "tunnel2": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tunnel2": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tunnel2": policy: IKEv1+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tunnel2": conn_prio: 24,24; interface: enp0s9; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "tunnel2": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tunnel2": our idtype: ID_IPV4_ADDR; our id=192.168.200.1; their idtype: ID_IPV4_ADDR; their id=192.168.200.2
000 "tunnel2": dpd: active; action:restart; delay:10s; timeout:30s
000 "tunnel2": nat-traversal: encaps:auto; keepalive:20s; ikev1-method:rfc+drafts
000 "tunnel2": newest ISAKMP SA: #2; newest IPsec SA: #0; conn serial: $2;
000 "tunnel2": IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048
000 "tunnel3": 172.16.20.0/24===192.168.200.1...192.168.100.2===172.16.10.0/24; prospective erouted; eroute owner: #0
000 "tunnel3": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tunnel3": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tunnel3": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "tunnel3": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tunnel3": sec_label:unset;
000 "tunnel3": ike_life: 3600s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "tunnel3": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tunnel3": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tunnel3": policy: IKEv1+PSK+ENCRYPT+TUNNEL+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tunnel3": conn_prio: 24,24; interface: enp0s9; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "tunnel3": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tunnel3": our idtype: ID_IPV4_ADDR; our id=192.168.200.1; their idtype: ID_IPV4_ADDR; their id=192.168.100.2
000 "tunnel3": dpd: active; action:restart; delay:10s; timeout:30s
000 "tunnel3": nat-traversal: encaps:auto; keepalive:20s; ikev1-method:rfc+drafts
000 "tunnel3": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $3;
000 "tunnel4": 172.16.20.0/24===192.168.100.1...192.168.200.2===172.16.10.0/24; unrouted; eroute owner: #0
000 "tunnel4": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "tunnel4": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "tunnel4": our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "tunnel4": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "tunnel4": sec_label:unset;
000 "tunnel4": ike_life: 3600s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "tunnel4": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "tunnel4": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "tunnel4": policy: IKEv1+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "tunnel4": conn_prio: 24,24; interface: enp0s8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "tunnel4": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "tunnel4": our idtype: ID_IPV4_ADDR; our id=192.168.100.1; their idtype: ID_IPV4_ADDR; their id=192.168.200.2
000 "tunnel4": dpd: active; action:restart; delay:10s; timeout:30s
000 "tunnel4": nat-traversal: encaps:auto; keepalive:20s; ikev1-method:rfc+drafts
000 "tunnel4": newest ISAKMP SA: #4; newest IPsec SA: #0; conn serial: $4;
000 "tunnel4": IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048
000
000 Total IPsec connections: loaded 4, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2052: "tunnel1":500 STATE_MAIN_I4 (IKE SA established); REPLACE in 2676s; newest; lastdpd=3s(seq in:27065 out:0); idle;
000 #2054: "tunnel1":500 STATE_QUICK_I2 (IPsec SA established); REPLACE in 2762s; newest; eroute owner; ISAKMP SA #2052; idle;
000 #2054: "tunnel1" esp.5d11b774 at 192.168.100.2 esp.ba1b3c59 at 192.168.100.1 tun.0 at 192.168.100.2 tun.0 at 192.168.100.1 Traffic: ESPin=1KB ESPout=1KB ESPmax=2^63B
000 #2: "tunnel2":500 STATE_MAIN_I4 (IKE SA established); REPLACE in 2603s; newest; lastdpd=-1s(seq in:0 out:0); idle;
000 #4: "tunnel4":500 STATE_MAIN_I4 (IKE SA established); REPLACE in 2512s; newest; lastdpd=-1s(seq in:0 out:0); idle;
000
000 Bare Shunt list:
000
Do you think is possible to do it? Or I should use a different approach?
—
Saludos / Regards / Cumprimentos
António Silva
> On 19 Jul 2023, at 17:59, Paul Wouters <paul at nohats.ca> wrote:
>
> On Mon, 17 Jul 2023, antonio wrote:
>
>> Subject: Re: [Swan] Failover VPN subnet to subnet using different links
>> Hi,
>> I finally did it with 4 tunnels and configured routing rules to reach each side.
>> Tunel1: host - subnet
>> 192.168.100.1 <--> 192.168.200.1 subnet: 172.16.10.0/24
>> Tunel2: host - subnet
>> 192.168.300.1 <--> 192.168.400.1 subnet: 172.16.10.0/24
>> Tunel3: subnet - host
>> 192.168.100.1 subnet 172.16.20.0/24 <--> 192.168.200.1
>> Tunel4: subnet - host
>> 192.168.300.1 subnet 172.16.20.0/24 <--> 192.168.400.1
>
> If you set leftsourceip=192.168.100.1 and leftsourceip=192.168.300.1,
> then you can reduce those 4 tunnels to 2 tunnels, you won't need the
> host-subnet tunnels.
>
>> To avoid having an external monitoring script, Is it possible to have all the simultaneous connections and only with DPD + priority
>> to handle the availability of the connection?
>
> I'm having difficulty reading that sentence. DPD works on a per-peer
> basis, but is triggers on a per (idle) connection basis.
>
> If you set the priority, your favourite tunnel should "win" at the XFRM
> level. Once DPD kicks in, the tunnel will be removed from kernel XFRM
> state and so the other tunnel should receive the packet for encryption
> and sending.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230726/1b5b4be6/attachment-0001.htm>
More information about the Swan
mailing list