Hi Paul,
I get the first part to be able to avoid conflicts using mark=, and use
DPD and _updown scripts to switch from one tunnel to another if needed.
Question is what exactly I should do in the _updown script to switch
routing to secondary tunnel?
Also, do you mean KLIPS is dead? It was my best hope!
Thanks,
François.
On 2016-01-14 20:28, Paul Wouters wrote:
On Thu, 14 Jan 2016, François wrote:
My "destination" server has two WANs, and I want to create two ipsec
tunnels from the "source" to each of these WANs, and have failover in
case one of the destination WANs goes down. The src and dst subnets
would be the same in both tunnels.
I was wondering what would be the recommended way to configure this
type of failover. Ideally both tunnels would be connected, and if one
goes down the secondary tunnel would take over immediatly while the
first tunnel tries to reconnect (with dead-peer-detection or similar).
You can use the new mark= option to install identical IPsec SA's without
these conflicting. Use DPD to ensure broken tunnels are torn down should
then cause the failover to the other IPsec SA.
This might still need some support in _updown.netkey.
Maybe some external script could detect failures and quickly change
routes. I'm using NETKEY tho, so not sure if it can be done with "ip
xfrm" and such tools. Would I have to switch to KLIPS to have this
type of flexibility (being able to use "ip route" tools instead)?
No, don't use ip xfrm directly or KLIPS.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
