[strongSwan] Strongswan and VTI

Frank Fiene ffiene at veka.com
Wed Feb 3 13:38:23 CET 2016

> Am 03.02.2016 um 13:26 schrieb Noel Kuntze <noel at familie-kuntze.de>:
> Hello Frank,
>> rightupdown=/usr/local/sbin/atlas_vpn_1_updown.sh
> That option doesn't exist. Use leftupdown.

Really? Are you sure? I got this from the documentation wiki.

>> I want to establish an automatic failover. I was wondering if this must be working with the VTI config i have, automatically:
> Either fiddle with DPD or write your own monitor application that fails over the tunnels.
> leftupdown is only executed when the IKE_SAs or the CHILD_SAs go up or down.

Yes, if I block the communication to the first external VPN gateway, the first VPN goes down after some time.

But the script has not been executed, of course I tried leftupdown, too. :-D

> You probably want to fail over when you have high packet loss on the tunnel (or some
> other condition). This is not something charon can measure. You would need to write
> an application or script that does it.

Hmm, sounds not as easy as I thought. :-(

Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

Dieselstr. 8
48324 Sendenhorst

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160203/cd31d7a1/attachment.pgp>

More information about the Users mailing list