[strongSwan] Strongswan and VTI

Frank Fiene ffiene at veka.com
Wed Feb 3 15:14:05 CET 2016

> Am 03.02.2016 um 13:47 schrieb Noel Kuntze <noel at familie-kuntze.de>:
> On 03.02.2016 13:38, Frank Fiene wrote:
>>>> Hello Frank,
>>>>>> rightupdown=/usr/local/sbin/atlas_vpn_1_updown.sh
>>>> That option doesn't exist. Use leftupdown.
>> Really? Are you sure? I got this from the documentation wiki.
> To rephrase it: It does exist, but the script given in rightupdown is only executed
> when charon finds out that the configuration for the `right` side actually describes your host,
> not the configuration for the left side. By default (if charon can't find out what side is its own),
> the configuration for the `left` is used as the local configuration. This is described at the very top of the
> man page for ipsec.conf.

OK, got it.

>>>> I want to establish an automatic failover. I was wondering if this must be working with the VTI config i have, automatically:
>>> Either fiddle with DPD or write your own monitor application that fails over the tunnels.
>>> leftupdown is only executed when the IKE_SAs or the CHILD_SAs go up or down.
>> Yes, if I block the communication to the first external VPN gateway, the first VPN goes down after some time.
>> But the script has not been executed, of course I tried leftupdown, too.
> Logs, please. And make sure the script is actually executable and well formed.

Do you know what logging level in which submodules?

I’ve tried with mgr 3, job 3, dmn 3, app 3 and found nothing. :-(

Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

Dieselstr. 8
48324 Sendenhorst

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer
HRB 8282 AG Münster/District Court of Münster

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160203/e890332b/attachment.pgp>

More information about the Users mailing list