[strongSwan] VPN Gateway Failover

Cody Jarrett codyja at gmail.com
Tue Aug 4 19:49:02 CEST 2015 

Hi All,
I'm looking into testing a solution to replace a setup involving Cisco
ASA's providing VPN connectivity. The main requirement that has to be kept
is having VPN failover (Active/Standy). On the head end ASA I define a peer
list like "crypto map outside_map 1 set peer 100.1.1.1 200.2.2.2" where it
will take a list of peers. If dead peer detection reports a peer as down,
it will connect to the next peer.

What is the most elegant way to configure similar functionality with
Strongswan? For an example setup, a remote site would have two VPN gateways
(each with own internet connection) with a common subnet behind them (also
using SNAT here). I have the setup working so long as there is just one
remote peer up at a time.

>From reviewing list emails and documentation, I understand the linux kernel
can't handle matching IPsec policies at the head end. I've done a few tests
using marks but I'm not sure that's the right method here. I've considered
looking into making a custom updown script but wanted to see if there was
anything else available before I started down that path. Also, I can't use
clusterIP at the remote sites because the VPN gateways won't always be on
the same networks (won't be able to reach each other directly).

I have attached a diagram showing a lab setup using Centos 7 machines. Note
in the diagram the lab setup has a layer 2 network between sites, although
the end result would involve different layer 3 paths between sites. Image
also available at http://i.imgur.com/oAOyxOV.jpg

Thank you for any input and advice!

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1-modp1024!
    type=tunnel
    authby=secret
    mobike=no
    dpdaction=clear
    dpddelay=10s
    dpdtimeout=30s

conn PRI-RTR
    leftid=192.168.56.1
    left=192.168.56.1
    leftsubnet=10.0.0.0/24
    right=192.168.56.10
    rightsubnet=10.80.80.0/24
    auto=start

conn SEC-RTR
    leftid=192.168.56.1
    left=192.168.56.1
    leftsubnet=10.0.0.0/24
    right=192.168.56.20
    rightsubnet=10.80.80.0/24
    auto=start
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150804/1dd04066/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn.jpg
Type: image/jpeg
Size: 20430 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150804/1dd04066/attachment-0001.jpg>

More information about the Users mailing list