[strongSwan] Round robin connections to redundant ASA's

Eric Germann ekgermann at semperen.com
Sat Jul 16 19:39:14 CEST 2016


We’re running StrongSwan 5.4.0 in an AWS environment.  The remote end is a pair of Cisco ASA’s set up in a redundant configuration on two different ISP’s (two different peer IP’s).

On the AWS side is there a way to make the same rightsubnet available to two different right peers?  

My current thinking is we set right = %PeerA to permit connections from either peer IP when we’re the responder and initiate a connection to PeerA when we’re the initiator.  The thought is % enables rightany and we secure it by screening udp/500 and 4500 at the AWS security group level to just the two peers.

The main question is, how do we or can we have a second target for same connection or round robin them even to PeerB?

Thoughts or am I completely off base?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3705 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160716/ff86bcb6/attachment.bin>

More information about the Users mailing list