Hi, I finally did it with 4 tunnels and configured routing rules to reach each side.
Tunel1: host - subnet 192.168.100.1 <--> 192.168.200.1 subnet: 172.16.10.0/24 Tunel2: host - subnet 192.168.300.1 <--> 192.168.400.1 subnet: 172.16.10.0/24 Tunel3: subnet - host 192.168.100.1 subnet 172.16.20.0/24 <--> 192.168.200.1 Tunel4: subnet - host 192.168.300.1 subnet 172.16.20.0/24 <--> 192.168.400.1 I did a bash script that detects the status of the connection and set the routing rule on failure/success. To avoid having an external monitoring script, Is it possible to have all the simultaneous connections and only with DPD + priority to handle the availability of the connection? Thanks. — Saludos / Regards / Cumprimentos António Silva > On 13 Jul 2023, at 17:11, antonio <[email protected]> wrote: > > Hi, > > I’m trying to establish a failover vpn using different links but same subnets: > > Tunnel1: 192.168.100.1 <--> 192.168.200.1 > 172.16.20.0/24 <--> 172.16.10.0/24 > > Tunnel1: 192.168.300.1 <--> 192.168.400.1 > 172.16.20.0/24 <--> 172.16.10.0/24 > > > If tunnel1 is down the traffic between the subnets will got via tunnel2, and > when tunnel1 is up again, the traffic will go via tunnel1. > > > But, when the second tunnel is up I got the error message: > > Jul 13 12:45:14 vm pluto[15813]: "tunnel2" #13: cannot install kernel policy > -- it is in use for "tunnel1" > Jul 13 12:45:14 vm pluto[15813]: "tunnel2" #13: state transition function for > STATE_QUICK_R0 had internal error > > > My configuration is: > > conn tunnel1 > pfs=no > type=tunnel > auto=start > ikev2=no > phase2=esp > authby=secret > keyingtries=3 > ikelifetime=8h > salifetime=8h > left=192.168.100.1 > leftsubnet=172.16.20.0/24 > leftid=192.168.100.1 > right=192.168.200.1 > rightsubnet=172.16.10.0/24 > rightid=192.168.200.1 > dpddelay=30 > dpdtimeout=60 > dpdaction=hold > > conn tunnel2 > pfs=no > type=tunnel > auto=start > ikev2=no > phase2=esp > authby=secret > keyingtries=3 > ikelifetime=8h > salifetime=8h > left=192.168.300.1 > leftsubnet=172.16.20.0/24 > leftid=192.168.300.1 > right=192.168.400.1 > rightsubnet=172.16.10.0/24 > rightid=192.168.400.1 > dpddelay=30 > dpdtimeout=60 > dpdaction=hold > > > I try libreswan git version, setting different priority in the configuration, > but got the same result, the second tunnel is not up. > I installed from a Debian package using make deb. > > Can’t it be done? Or I should avoid this setup and use routing base vpn? > > > Thanks > > > — > Saludos / Regards / Cumprimentos > António Silva > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
