Hi All, I'm looking into testing a solution to replace a setup involving Cisco ASA's providing VPN connectivity. The main requirement that has to be kept is having VPN failover (Active/Standy). On the head end ASA I define a peer list like "crypto map outside_map 1 set peer 100.1.1.1 200.2.2.2" where it will take a list of peers. If dead peer detection reports a peer as down, it will connect to the next peer.
What is the most elegant way to configure similar functionality with Strongswan? For an example setup, a remote site would have two VPN gateways (each with own internet connection) with a common subnet behind them (also using SNAT here). I have the setup working so long as there is just one remote peer up at a time. >From reviewing list emails and documentation, I understand the linux kernel can't handle matching IPsec policies at the head end. I've done a few tests using marks but I'm not sure that's the right method here. I've considered looking into making a custom updown script but wanted to see if there was anything else available before I started down that path. Also, I can't use clusterIP at the remote sites because the VPN gateways won't always be on the same networks (won't be able to reach each other directly). I have attached a diagram showing a lab setup using Centos 7 machines. Note in the diagram the lab setup has a layer 2 network between sites, although the end result would involve different layer 3 paths between sites. Image also available at http://i.imgur.com/oAOyxOV.jpg Thank you for any input and advice! conn %default keyexchange=ikev2 ike=aes128-sha1-modp1024! esp=aes128-sha1-modp1024! type=tunnel authby=secret mobike=no dpdaction=clear dpddelay=10s dpdtimeout=30s conn PRI-RTR leftid=192.168.56.1 left=192.168.56.1 leftsubnet=10.0.0.0/24 right=192.168.56.10 rightsubnet=10.80.80.0/24 auto=start conn SEC-RTR leftid=192.168.56.1 left=192.168.56.1 leftsubnet=10.0.0.0/24 right=192.168.56.20 rightsubnet=10.80.80.0/24 auto=start
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
