[strongSwan] remote_addrs with more than one IP address

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 27 15:17:28 CEST 2017

Hello Vijaya,

On 27.04.2017 13:20, Vijaya Venkatachalam wrote:
> hi,
> I am using VICI strongswan interface to build an application to start an IPsec connection.
> Now in my configuration, I have specified two IP addresses in remote_addrs.
> But when I initiate the connection, it only establishes connection with the first IP address.
> And if no ipsec is running on the first IP address, it does not fallback on the second IP address.

Duh. You need to read the manual.
From `man swanctl.conf` (which also describes all the fields of the VICI connection structures):


       connections.<conn>.remote_addrs [%any]
              Remote address(es) to use for  IKE  communication,  comma  sepa‐
              rated. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets
              or IP address ranges.

              *As initiator, the first non-range/non-subnet is used to initiate
              the  connection  to.*  As responder, the initiator source address
              must match at least to one of the specified  addresses,  subnets
              or ranges.
> Does this mean currently there is no support for failover to the one or more IP addresses specified in the remote_addrs list??

There's no support for failover, as described in the FAQ[1].

[1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#High-Availability-and-Failover-configurations

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170427/71c53551/attachment.sig>

More information about the Users mailing list