-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Cody,
strongSwan doesn't support active-passive HA, only active-active. The reason is, that ESP sequence numbers move too fast to synchronize in user space, so every member of the cluster needs to get each ESP packet to keep the sequence number status of the SAs in sync with the other side. strongSwan also doesn't have any provisions to automaticly start another conn, if one conn fails or to connect to a different IP, if the former connection failed. Maybe you can build something with pacemaker that is of general use for such scenarios, instead of writing a script. What use do you intend for two redundant gateways (obviously in the same "place" or logical network), which can't reach each otherin any way? I'm sure you mean that they won't be in the same layer two network on the WAN side all the time, but they surely will be on the LAN. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 04.08.2015 um 19:49 schrieb Cody Jarrett: > Hi All, > I'm looking into testing a solution to replace a setup involving Cisco ASA's > providing VPN connectivity. The main requirement that has to be kept is > having VPN failover (Active/Standy). On the head end ASA I define a peer list > like "crypto map outside_map 1 set peer 100.1.1.1 200.2.2.2" where it will > take a list of peers. If dead peer detection reports a peer as down, it will > connect to the next peer. > > What is the most elegant way to configure similar functionality with > Strongswan? For an example setup, a remote site would have two VPN gateways > (each with own internet connection) with a common subnet behind them (also > using SNAT here). I have the setup working so long as there is just one > remote peer up at a time. > > From reviewing list emails and documentation, I understand the linux kernel > can't handle matching IPsec policies at the head end. I've done a few tests > using marks but I'm not sure that's the right method here. I've considered > looking into making a custom updown script but wanted to see if there was > anything else available before I started down that path. Also, I can't use > clusterIP at the remote sites because the VPN gateways won't always be on the > same networks (won't be able to reach each other directly). > > I have attached a diagram showing a lab setup using Centos 7 machines. Note > in the diagram the lab setup has a layer 2 network between sites, although > the end result would involve different layer 3 paths between sites. Image > also available at http://i.imgur.com/oAOyxOV.jpg > > Thank you for any input and advice! > > conn %default > keyexchange=ikev2 > ike=aes128-sha1-modp1024! > esp=aes128-sha1-modp1024! > type=tunnel > authby=secret > mobike=no > dpdaction=clear > dpddelay=10s > dpdtimeout=30s > > conn PRI-RTR > leftid=192.168.56.1 > left=192.168.56.1 > leftsubnet=10.0.0.0/24 <http://10.0.0.0/24> > right=192.168.56.10 > rightsubnet=10.80.80.0/24 <http://10.80.80.0/24> > auto=start > > conn SEC-RTR > leftid=192.168.56.1 > left=192.168.56.1 > leftsubnet=10.0.0.0/24 <http://10.0.0.0/24> > right=192.168.56.20 > rightsubnet=10.80.80.0/24 <http://10.80.80.0/24> > auto=start > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIbBAEBCAAGBQJVws6aAAoJEDg5KY9j7GZYSWIP9A6u2ZiQsOI0IOUPc9DwloY4 2a6gm3VdJx01sQV7WYHwvgJTd+KDZ3HwLxsZ31vmxcKJXLU5yi9JzN6RY7i2pClZ A5RhRd2oTTLjnWQ4rEjYfRCVCEqpMMyfJZRMQYtDuhrKR04sRQEjD/sQZmk6WMRB gsumR0Pn7s5GOgHxp62X3f00W3OZ6QsbFSIygl/UY/l8bLKyHHdy3Fk7lcZh8uYO zl3ZBULspmnkr4QqAOt6DsD+lCxs/hS+yhbOkZlI7okXZIys0X1d5rg2PNGOeKLm HLiAyzNPGCCToTXliOUQXRqrfCNk5d6+0LyvNYM+KZKJPHiFEG5wy9dYdoP8fEx9 XvWdrmUlrONq0913TcznJlsn0CwUUcBYEE+Ii32XL05nTrnJygM/4ndFbkCQtA6n iNoyXBvkuEsBm/NWmRaSu31+yOOI0BijzE26ropnyLo9hhwSXpYVhErMg+uCTfNh WyF3HBcvyXiC9308o6Quv3/7+CKB8LTMqVHvp3+6aC6YXa/V5QyPrx2ngD8qlkyX UIGeKupGmfzfDEtK9FUcCK2hWkq4+nev2wC4eFnuYTXG8OzIiQ7ibCHGC/ART/Ao /Smhiu/HzyiDR7evEKfWh2ZLg8VkVQ8EYWOMVpLdzyp1p/oTU/iciJ/nYjADlxDs izAUQgVmDiKRErd2Fcs= =IODO -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
