[strongSwan] high availability with two redundant ipsec peers

Martin Willi martin at strongswan.org
Wed Mar 10 09:30:32 CET 2010


> the problem here is, as i know, i cannot configure two peers with the
> same leftsubnet...

You can't install two identical policies. One could, in theory, install
a single policy set with two sets of SAs. In the failover case, the
policies are migrated to the other set of SAs.
However, this is far from trivial and would require a lot of work to
implement in strongSwan.

> any ideas, how to use two wan connections with strongswan and failover
> on the same machine?

A simpler approach would be to establish the IPsec SAs on demand. In
normal operation, you'd have a tunnel on wan1. If you detect a failure
on wan1, close the tunnel and establish one via wan2.
To have a shorter failover timeout, you could even establish an IKE_SA
and do the authentication procedure in advance. Then you'd need a single
exchange only to establish the new IPsec SA on the backup link.
This would require some logic to do the handover in a failure case, and
of course, a mechanism to clearly detect link failures.

Best regards

More information about the Users mailing list