<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br><a href="https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan">https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan</a></div><div><br></div><div>Or look at VTI </div><div><br></div><div><a href="https://libreswan.org/wiki/Route-based_VPN_using_VTI">https://libreswan.org/wiki/Route-based_VPN_using_VTI</a></div><div><br><div>Sent from my iPhone</div></div><div><br>On Apr 11, 2017, at 15:41, Eduardo Oliveira <<a href="mailto:eduardo.oliveira@gerencianet.com.br">eduardo.oliveira@gerencianet.com.br</a>> wrote:<br><br></div><blockquote type="cite"><div>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">



<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hi all,</p>
<p><br>
</p>
<p>I'm trying to create a connection between my local and AWS VPC with failover or HA using libreswan, but I don't know how to do it. </p>
<p><br>
</p>
<p>Try #1: Just create 2 tunnels, up both and wait the success. Fail.</p>
<p>When I up the tunnel 1, works well. But the second tunnel fails because it is not possible add 2 routes to the same subnet at the same time. Log: </p>
<p><br>
</p>
<p></p>
<div><span style="font-family: "Courier New", monospace;">117 "aws-t2" #5: STATE_QUICK_I1: initiate</span></div>
<div><span style="font-family: "Courier New", monospace;">003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3</span></div>
<div><span style="font-family: "Courier New", monospace;">032 "aws-t2" #5: STATE_QUICK_I1: internal error</span></div>
<br>
<p></p>
<p>Try #2: use the "<span>overlapip" and "<span>metric" option. In my brain would work because both tunnels with equal routes, but with different metrics. Fail.<br>
When both tunnels was up, the packages up using one tunnel and down using another. I don't know why but the packages was not forwarded.</span></span></p>
<p><span><span><br>
</span></span></p>
<p><span><span><br>
</span></span></p>
<p><span><span>Try #3: find some feature to config a failover. When one tunnel downs, the other up. Fail.</span></span></p>
<p><span><span>I didn't find how to do this.</span></span></p>
<p><br>
</p>
<p><br>
</p>
<p>Can someone help me?</p>
<p><br>
</p>
<p><br>
</p>
<p>=================================</p>
<p>Config files:</p>
<p>------ Try #1 ---------</p>
<p></p>
<div>conn aws-t1</div>
<div>        authby=secret</div>
<div>        auto=start</div>
<div>        left=%defaultroute</div>
<div>        leftid=LOCAL_IP_1</div>
<div>        right=AWS_Peer_1</div>
<div>        type=tunnel</div>
<div>        ikelifetime=8h</div>
<div>        keylife=1h</div>
<div>        phase2alg=aes128-sha1;modp1024</div>
<div>        ike=aes128-sha1;modp1024</div>
<div>        auth=esp</div>
<div>        keyingtries=%forever</div>
<div>        keyexchange=ike</div>
<div>        leftsubnet=0.0.0.0/0</div>
<div>        rightsubnet=172.21.0.0/16</div>
<div>        dpddelay=5</div>
<div>        dpdtimeout=10</div>
<div>        dpdaction=restart_by_peer</div>
<div>conn aws-t2</div>
<div>        authby=secret</div>
<div>        auto=start</div>
<div>        left=%defaultroute</div>
<div>        leftid=LOCAL_IP_1</div>
<div>        right=AWS_Peer_2</div>
<div>        type=tunnel</div>
<div>        ikelifetime=8h</div>
<div>        keylife=1h</div>
<div>        phase2alg=aes128-sha1;modp1024</div>
<div>        ike=aes128-sha1;modp1024</div>
<div>        auth=esp</div>
<div>        keyingtries=%forever</div>
<div>        keyexchange=ike</div>
<div>        leftsubnet=0.0.0.0/0</div>
<div>        rightsubnet=172.21.0.0/16</div>
<div>        dpddelay=5</div>
<div>        dpdtimeout=10</div>
<div>        dpdaction=restart_by_peer</div>
<br>
<p></p>
<p><br>
</p>
<p><span style="font-family: Calibri, Arial, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">------ Try #2 ---------</span></p>
<p></p>
<div>conn aws-t1</div>
<div>        [...]  # Same of try #1</div>
<div>        metric=1</div>
<div>        overlapip=yes</div>
<div>        </div>
<div>conn aws-t2</div>
<div>        [...] # Same of try #1        </div>
<div>        metric=2</div>
<div>        overlapip=yes</div>
<p></p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<p></p>
<div>--</div>
<div><br>
</div>
<div>Eduardo Fontinelle <br>
<br>
</div>
<br>
<p></p>
</div>
</div>
</div>


</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>