<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hi all,</p>
<p><br>
</p>
<p>I'm trying to create a connection between my local and AWS VPC with failover or HA using libreswan, but I don't know how to do it. </p>
<p><br>
</p>
<p>Try #1: Just create 2 tunnels, up both and wait the success. Fail.</p>
<p>When I up the tunnel 1, works well. But the second tunnel fails because it is not possible add 2 routes to the same subnet at the same time. Log: </p>
<p><br>
</p>
<p></p>
<div><span style="font-family: "Courier New", monospace;">117 "aws-t2" #5: STATE_QUICK_I1: initiate</span></div>
<div><span style="font-family: "Courier New", monospace;">003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3</span></div>
<div><span style="font-family: "Courier New", monospace;">032 "aws-t2" #5: STATE_QUICK_I1: internal error</span></div>
<br>
<p></p>
<p>Try #2: use the "<span>overlapip" and "<span>metric" option. In my brain would work because both tunnels with equal routes, but with different metrics. Fail.<br>
When both tunnels was up, the packages up using one tunnel and down using another. I don't know why but the packages was not forwarded.</span></span></p>
<p><span><span><br>
</span></span></p>
<p><span><span><br>
</span></span></p>
<p><span><span>Try #3: find some feature to config a failover. When one tunnel downs, the other up. Fail.</span></span></p>
<p><span><span>I didn't find how to do this.</span></span></p>
<p><br>
</p>
<p><br>
</p>
<p>Can someone help me?</p>
<p><br>
</p>
<p><br>
</p>
<p>=================================</p>
<p>Config files:</p>
<p>------ Try #1 ---------</p>
<p></p>
<div>conn aws-t1</div>
<div> authby=secret</div>
<div> auto=start</div>
<div> left=%defaultroute</div>
<div> leftid=LOCAL_IP_1</div>
<div> right=AWS_Peer_1</div>
<div> type=tunnel</div>
<div> ikelifetime=8h</div>
<div> keylife=1h</div>
<div> phase2alg=aes128-sha1;modp1024</div>
<div> ike=aes128-sha1;modp1024</div>
<div> auth=esp</div>
<div> keyingtries=%forever</div>
<div> keyexchange=ike</div>
<div> leftsubnet=0.0.0.0/0</div>
<div> rightsubnet=172.21.0.0/16</div>
<div> dpddelay=5</div>
<div> dpdtimeout=10</div>
<div> dpdaction=restart_by_peer</div>
<div>conn aws-t2</div>
<div> authby=secret</div>
<div> auto=start</div>
<div> left=%defaultroute</div>
<div> leftid=LOCAL_IP_1</div>
<div> right=AWS_Peer_2</div>
<div> type=tunnel</div>
<div> ikelifetime=8h</div>
<div> keylife=1h</div>
<div> phase2alg=aes128-sha1;modp1024</div>
<div> ike=aes128-sha1;modp1024</div>
<div> auth=esp</div>
<div> keyingtries=%forever</div>
<div> keyexchange=ike</div>
<div> leftsubnet=0.0.0.0/0</div>
<div> rightsubnet=172.21.0.0/16</div>
<div> dpddelay=5</div>
<div> dpdtimeout=10</div>
<div> dpdaction=restart_by_peer</div>
<br>
<p></p>
<p><br>
</p>
<p><span style="font-family: Calibri, Arial, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">------ Try #2 ---------</span></p>
<p></p>
<div>conn aws-t1</div>
<div> [...] # Same of try #1</div>
<div> metric=1</div>
<div> overlapip=yes</div>
<div> </div>
<div>conn aws-t2</div>
<div> [...] # Same of try #1 </div>
<div> metric=2</div>
<div> overlapip=yes</div>
<p></p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<p></p>
<div>--</div>
<div><br>
</div>
<div>Eduardo Fontinelle <br>
<br>
</div>
<br>
<p></p>
</div>
</div>
</div>
</body>
</html>