[strongSwan] Redundant ASA 5505's to single Strongswan 5.4.0

[Eric Germann]

Colleagues,

Running Strongswan 5.4.0 in AWS and have a customer who wants to terminate 
their VPN tunnel on a pair of ASA 5505’s running active/standby on two separate 
adjacent IP’s (two different datacenter in same city with redundant providers 
running BGP).

I’m trying to think this through on the Strongswan side of things.  Since the 
devices will mirror their configs (sans the external IP), the connection 
parameters should be the same.

If I do a range of IP’s for the “right” parameter, am I correct in 
understanding it will accept from either IP?

Obviously, their end which is active will be the initiator and we’ll answer 
appropriately, but if WE need to be the initiator, does Strongswan cycle 
through the range of IP’s specified in the right parameter to connect to them 
or does it randomly pick one to connect to?

Looking to swap experiences (even off list) with someone who has done something 
similar before.

Thanks in advance

EKG



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Debugging a simple road warrior setup

[Johannes Kastl]

Hi all,

sorry for the noise, found the issue.

On 17.05.16 21:05 Johannes Kastl wrote:
> But neither my /var/log/charon.log nor /var/log/messages contain
> anything that I would recognize as an error.
> 
> The logs of the strongswan android app contain this line:
> ... giving up after 3 retransmits
> ... peer not responding, trying again (2/0)

Adding the fragmentation=yes option allowed me to connect from android
using the Strongswan app, so I guess the genereal setup seems to be ok.

Will try to connect from OSX with IKEv1 and then try to get the
networking and routing done...

Johannes




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users