[strongSwan] VPN Gateway Failover

Noel Kuntze noel at familie-kuntze.de
Thu Aug 6 05:03:56 CEST 2015

Hash: SHA256

Hello Cody,

strongSwan doesn't support active-passive HA, only active-active. The reason is,
that ESP sequence numbers move too fast to synchronize in user space, so every member
of the cluster needs to get each ESP packet to keep the sequence number
status of the SAs in sync with the other side. strongSwan
also doesn't have any provisions to automaticly start another conn, if one conn fails
or to connect to a different IP, if the former connection failed.
Maybe you can build something with pacemaker that is of general use
for such scenarios, instead of writing a script.

What use do you intend for two redundant gateways (obviously in the same "place" or
logical network), which can't reach each otherin any way? I'm sure
you mean that they won't be in the same layer two network on the WAN side all
the time, but they surely will be on the LAN.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.08.2015 um 19:49 schrieb Cody Jarrett:
> Hi All,
> I'm looking into testing a solution to replace a setup involving Cisco ASA's providing VPN connectivity. The main requirement that has to be kept is having VPN failover (Active/Standy). On the head end ASA I define a peer list like "crypto map outside_map 1 set peer" where it will take a list of peers. If dead peer detection reports a peer as down, it will connect to the next peer.
> What is the most elegant way to configure similar functionality with Strongswan? For an example setup, a remote site would have two VPN gateways (each with own internet connection) with a common subnet behind them (also using SNAT here). I have the setup working so long as there is just one remote peer up at a time.
> From reviewing list emails and documentation, I understand the linux kernel can't handle matching IPsec policies at the head end. I've done a few tests using marks but I'm not sure that's the right method here. I've considered looking into making a custom updown script but wanted to see if there was anything else available before I started down that path. Also, I can't use clusterIP at the remote sites because the VPN gateways won't always be on the same networks (won't be able to reach each other directly).
> I have attached a diagram showing a lab setup using Centos 7 machines. Note in the diagram the lab setup has a layer 2 network between sites, although the end result would involve different layer 3 paths between sites. Image also available at http://i.imgur.com/oAOyxOV.jpg
> Thank you for any input and advice!
> conn %default
>     keyexchange=ikev2
>     ike=aes128-sha1-modp1024!
>     esp=aes128-sha1-modp1024!
>     type=tunnel
>     authby=secret
>     mobike=no
>     dpdaction=clear
>     dpddelay=10s
>     dpdtimeout=30s
> conn PRI-RTR
>     leftid=
>     left=
>     leftsubnet= <>
>     right=
>     rightsubnet= <>
>     auto=start
> conn SEC-RTR
>     leftid=
>     left=
>     leftsubnet= <>
>     right=
>     rightsubnet= <>
>     auto=start
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list