[strongSwan] Strongswan and VTI

Frank Fiene ffiene at veka.com
Wed Feb 3 13:11:13 CET 2016 

Hi,

I am trying to build a failover VPN to two different external Gateways to German customs (Zivit).

I am running strongswan-5.1.2 on Ubuntu 15.10 (LTS had major problems with VTI, i think the problem was iproute).

Anyway, I am able to connect to both sites with IKEv1, the config looks like this:

###snip###
conn atlas
     keyexchange=ikev1
     ike=aes128-sha1-modp1024!
     ikelifetime=24h
     esp=aes128-sha1!
     keylife=1h
     rekeymargin=540s
     keyingtries=%forever
     type=tunnel
     compress=no
     dpdaction=restart
     dpddelay=30s
     dpdtimeout=120s
     authby=psk
     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0
     left=<internalIP>
     leftid=<externalIP>

conn atlas_vpn_1
     also=atlas
     right=195.243.136.117
     rightid=%any
     rightupdown=/usr/local/sbin/atlas_vpn_1_updown.sh
     mark=100
     auto=start

conn atlas_vpn_2
     also=atlas
     right=62.153.205.229
     rightid=%any
     mark=200
     auto=start
###snip###


I want to establish an automatic failover. I was wondering if this must be working with the VTI config i have, automatically:

###snip###
# Primary VTI tunnel to Zivit/Atlas
ip tunnel add vti0 local <internalIP> remote 195.243.136.117 mode vti key 100
ip link set vti0 up
ip address add 172.16.195.178 dev vti0
ip route add 172.16.195.177/32 dev vti0
ip route add 10.131.208.0/24 via 172.16.195.177 metric 10

# Secondary VTI tunnel to Zivit/Atlas
ip tunnel add vti1 local <internalIP> remote 62.153.205.229 mode vti key 200
ip link set vti1 up
ip address add 172.16.195.182 dev vti1
ip route add 172.16.195.181/32 dev vti1
ip route add 10.131.208.0/24 via 172.16.195.181 metric 20
###snip###


But if the primary VPN goes down, nothing happens until I set vita down.

Do I have to do this in a uptown script?

I’ve tried, but my script as in the example above is never be executed.

How to debug?



Kind regards!
Frank
--
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AG
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160203/1496dee0/attachment.pgp>

More information about the Users mailing list