Thank you, Paul.
I read both wiki and I found a problem for me: I'm trying to connect using the AWS VPN Service instead EC2 with libreswan running. In my side, I have an CentOS 7. The second wiki [Route-based VPN using VTI] have a section named "Setting up a route-based VPN with Amazon", but no one write yet. I found this wiki[1] reporting the problem with 2 connections simultaneously and I will try to do with EC2. Thanks for your help. [1] https://libreswan.org/wiki/Interoperability#Multiple_tunnels_fail_with_Amazon.27s_VPN -- Eduardo Fontinelle ________________________________ De: Paul Wouters <[email protected]> Enviado: terça-feira, 11 de abril de 2017 17:12 Para: Eduardo Oliveira Cc: [email protected] Assunto: Re: [Swan] Help with failover https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan High Availability / Failover VPN in AWS using libreswan - Swan<https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan> libreswan.org AWS Configuration. The first requirement is to configure some options in AWS. I will be specifying addresses here for the work in VPC1. This process will need to be ... Or look at VTI https://libreswan.org/wiki/Route-based_VPN_using_VTI Route-based VPN using VTI - Swan - Libreswan<https://libreswan.org/wiki/Route-based_VPN_using_VTI> libreswan.org Create a single VTI device for all VPN clients. If you run a VPN server, it is difficult to monitor all VPN connections using tcpdump because it mixes up encrypted ... Sent from my iPhone On Apr 11, 2017, at 15:41, Eduardo Oliveira <[email protected]<mailto:[email protected]>> wrote: Hi all, I'm trying to create a connection between my local and AWS VPC with failover or HA using libreswan, but I don't know how to do it. Try #1: Just create 2 tunnels, up both and wait the success. Fail. When I up the tunnel 1, works well. But the second tunnel fails because it is not possible add 2 routes to the same subnet at the same time. Log: 117 "aws-t2" #5: STATE_QUICK_I1: initiate 003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3 032 "aws-t2" #5: STATE_QUICK_I1: internal error Try #2: use the "overlapip" and "metric" option. In my brain would work because both tunnels with equal routes, but with different metrics. Fail. When both tunnels was up, the packages up using one tunnel and down using another. I don't know why but the packages was not forwarded. Try #3: find some feature to config a failover. When one tunnel downs, the other up. Fail. I didn't find how to do this. Can someone help me? ================================= Config files: ------ Try #1 --------- conn aws-t1 authby=secret auto=start left=%defaultroute leftid=LOCAL_IP_1 right=AWS_Peer_1 type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 auth=esp keyingtries=%forever keyexchange=ike leftsubnet=0.0.0.0/0 rightsubnet=172.21.0.0/16 dpddelay=5 dpdtimeout=10 dpdaction=restart_by_peer conn aws-t2 authby=secret auto=start left=%defaultroute leftid=LOCAL_IP_1 right=AWS_Peer_2 type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 auth=esp keyingtries=%forever keyexchange=ike leftsubnet=0.0.0.0/0 rightsubnet=172.21.0.0/16 dpddelay=5 dpdtimeout=10 dpdaction=restart_by_peer ------ Try #2 --------- conn aws-t1 [...] # Same of try #1 metric=1 overlapip=yes conn aws-t2 [...] # Same of try #1 metric=2 overlapip=yes -- Eduardo Fontinelle _______________________________________________ Swan mailing list [email protected]<mailto:[email protected]> https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
