[strongSwan] Redundant ASA 5505's to single Strongswan 5.4.0

[Eric Germann]

Colleagues,

Running Strongswan 5.4.0 in AWS and have a customer who wants to terminate their VPN tunnel on a pair of ASA 5505’s running active/standby on two separate adjacent IP’s (two different datacenter in same city with redundant providers running BGP).

I’m trying to think this through on the Strongswan side of things.  Since the devices will mirror their configs (sans the external IP), the connection parameters should be the same.

If I do a range of IP’s for the “right” parameter, am I correct in understanding it will accept from either IP?

Obviously, their end which is active will be the initiator and we’ll answer appropriately, but if WE need to be the initiator, does Strongswan cycle through the range of IP’s specified in the right parameter to connect to them or does it randomly pick one to connect to?

Looking to swap experiences (even off list) with someone who has done something similar before.

Thanks in advance

EKG

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4121 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160518/f3a29133/attachment.bin>