On Sat, 19 May 2018, Dale Dellutri wrote:
I am running libreswan version 3.20 release 5.el7_4 on CentOS 7,
and I have established a VPN to a remote office. There is also a
dedicated line and a static route on another server to this same
office. We prefer to use the dedicated line.
If both the static route and the VPN were in the same server, would
there be any way to set up the VPN to automatically take over traffic
from the static route if the dedicated line dies?
Yes. You can configure the IPsec SA's with different MARK's. That way,
both IPsec SA's for the same address ranges can be installed in the
kernel. It is then your job to ensure proper marking happens for
the traffic to flow through the proper IPsec SA. You might be able
to do this by setting up each conn with its own VTI device. Then
you only need to change routing to the proper device to send it over
the proper IPsec SA.
If these were two static routes, I could simply have one, designated
as a secondary, float above the primary; that is, make the secondary
have a higher metric (administrative distance?) than the primary.
But I can't even find the VPN route in the route table, so I don't
even know how to mark the routes so that the VPN route floats above
the static route. The VPN route does not show up in
# ip route show
Where are the VPN routes kept in CentOS 7?
You should be able to do that with VTI.
Note that the VTI kernel code has some limitations, such as you cannot
have more then one VTI device that does not have an explicit remote IP.
(that is, you cannot have both remote endpoints on dynamic IP addresses)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
