On Mon, 17 Jul 2023, antonio wrote:
Subject: Re: [Swan] Failover VPN subnet to subnet using different links
Hi,
I finally did it with 4 tunnels and configured routing rules to reach each
side.
Tunel1: host - subnet
192.168.100.1 <--> 192.168.200.1 subnet: 172.16.10.0/24
Tunel2: host - subnet
192.168.300.1 <--> 192.168.400.1 subnet: 172.16.10.0/24
Tunel3: subnet - host
192.168.100.1 subnet 172.16.20.0/24 <--> 192.168.200.1
Tunel4: subnet - host
192.168.300.1 subnet 172.16.20.0/24 <--> 192.168.400.1
If you set leftsourceip=192.168.100.1 and leftsourceip=192.168.300.1,
then you can reduce those 4 tunnels to 2 tunnels, you won't need the
host-subnet tunnels.
To avoid having an external monitoring script, Is it possible to have all the
simultaneous connections and only with DPD + priority
to handle the availability of the connection?
I'm having difficulty reading that sentence. DPD works on a per-peer
basis, but is triggers on a per (idle) connection basis.
If you set the priority, your favourite tunnel should "win" at the XFRM
level. Once DPD kicks in, the tunnel will be removed from kernel XFRM
state and so the other tunnel should receive the packet for encryption
and sending.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
