https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan
Or look at VTI https://libreswan.org/wiki/Route-based_VPN_using_VTI Sent from my iPhone > On Apr 11, 2017, at 15:41, Eduardo Oliveira > <[email protected]> wrote: > > Hi all, > > > I'm trying to create a connection between my local and AWS VPC with failover > or HA using libreswan, but I don't know how to do it. > > > Try #1: Just create 2 tunnels, up both and wait the success. Fail. > > When I up the tunnel 1, works well. But the second tunnel fails because it is > not possible add 2 routes to the same subnet at the same time. Log: > > > 117 "aws-t2" #5: STATE_QUICK_I1: initiate > 003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3 > 032 "aws-t2" #5: STATE_QUICK_I1: internal error > > Try #2: use the "overlapip" and "metric" option. In my brain would work > because both tunnels with equal routes, but with different metrics. Fail. > When both tunnels was up, the packages up using one tunnel and down using > another. I don't know why but the packages was not forwarded. > > > > > > Try #3: find some feature to config a failover. When one tunnel downs, the > other up. Fail. > > I didn't find how to do this. > > > > Can someone help me? > > > > ================================= > > Config files: > > ------ Try #1 --------- > > conn aws-t1 > authby=secret > auto=start > left=%defaultroute > leftid=LOCAL_IP_1 > right=AWS_Peer_1 > type=tunnel > ikelifetime=8h > keylife=1h > phase2alg=aes128-sha1;modp1024 > ike=aes128-sha1;modp1024 > auth=esp > keyingtries=%forever > keyexchange=ike > leftsubnet=0.0.0.0/0 > rightsubnet=172.21.0.0/16 > dpddelay=5 > dpdtimeout=10 > dpdaction=restart_by_peer > conn aws-t2 > authby=secret > auto=start > left=%defaultroute > leftid=LOCAL_IP_1 > right=AWS_Peer_2 > type=tunnel > ikelifetime=8h > keylife=1h > phase2alg=aes128-sha1;modp1024 > ike=aes128-sha1;modp1024 > auth=esp > keyingtries=%forever > keyexchange=ike > leftsubnet=0.0.0.0/0 > rightsubnet=172.21.0.0/16 > dpddelay=5 > dpdtimeout=10 > dpdaction=restart_by_peer > > > ------ Try #2 --------- > > conn aws-t1 > [...] # Same of try #1 > metric=1 > overlapip=yes > > conn aws-t2 > [...] # Same of try #1 > metric=2 > overlapip=yes > > -- > > Eduardo Fontinelle > > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
