[strongSwan] Strongswan and VTI

Noel Kuntze noel at familie-kuntze.de
Wed Feb 3 13:47:24 CET 2016

On 03.02.2016 13:38, Frank Fiene wrote:
>> > Hello Frank,
>> > 
>>> >> rightupdown=/usr/local/sbin/atlas_vpn_1_updown.sh
>> > That option doesn't exist. Use leftupdown.
> Really? Are you sure? I got this from the documentation wiki.
To rephrase it: It does exist, but the script given in rightupdown is only executed
when charon finds out that the configuration for the `right` side actually describes your host,
not the configuration for the left side. By default (if charon can't find out what side is its own),
the configuration for the `left` is used as the local configuration. This is described at the very top of the
man page for ipsec.conf.

>>> I want to establish an automatic failover. I was wondering if this must be working with the VTI config i have, automatically:
>> Either fiddle with DPD or write your own monitor application that fails over the tunnels.
>> leftupdown is only executed when the IKE_SAs or the CHILD_SAs go up or down.
> Yes, if I block the communication to the first external VPN gateway, the first VPN goes down after some time.
> But the script has not been executed, of course I tried leftupdown, too. 
Logs, please. And make sure the script is actually executable and well formed.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160203/ddae0c50/attachment-0001.pgp>

More information about the Users mailing list