[Openswan Users] ipsec vpn fallback
Ming-Ching Tiew
mingching.tiew at redtone.com
Wed Jun 1 11:10:35 CEST 2005
I have a case where I have two internet connections
( link1 a1.b1.c1.d1 and gateway a1.b1.c1.e1, and link2
a2.b2.c2.d2 and gateway a2.b2.c2.e2 ) and I want to establish
a vpn connection to the remote office ( ip u.v.w.x and gateway
u.v.w.y ) which is connected to the internet too.
Because internet link is unreliable, I would have setup two
internet links, and at one time, I want one IPSEC VPN
connection to the remote office to be active. If one of the
internet link goes down, I want to establish a VPN connection
via the other surviving link.
I am using kernel 2.4.29 and openswan 2.3.1, the 'ipsec.conf' I have
included below. I could bring up ipsec on link1 ( ipsec0 ) this
way :-
ipsec auto --up link1
This is all fine and proper, however, when the link1 fails, I
bring down ipsec on link1 and bring up ipsec1 on link2,
ipsec auto --down link1
ipsec auto --up link2
The second command fail to properly establish the IKE negotiation,
it seems to do with some routing issue. If I rework the ipsec.conf,
changing interfaces="ipsec0=eth2 ipsec1=eth1" and issue commands
ipsec setup restart
ipsec auto --up link2
Then it will work. Is there a way to get this to work without changing
the ipsec.conf and restarting ipsec ?
Thank you very much for you attentions.
----------------------ipsec.conf------------------------------------
#
version 2
## basic configuration
config setup
interfaces="ipsec0=eth1 ipsec1=eth2"
conn link1
keyingtries=0
keyexchange=ike
authby=secret
compress=yes
left=a1.b1.c1.d1
leftsubnet=192.168.238.0/24
leftnexthop=a1.b1.c1.e1 # a.b.c.d's gateway
right=u.v.w.x
rightsubnet=192.168.118.0/24
rightnexthop=u.v.w.y
auto=add
pfs=no
conn link2
keyingtries=0
keyexchange=ike
authby=secret
compress=yes
left=a2.b2.c2.d2
leftsubnet=192.168.238.0/24
leftnexthop=a2.b2.c2.e2
right=u.v.w.x
rightsubnet=192.168.118.0/24
rightnexthop=u.v.w.y
auto=add
pfs=no
More information about the Users
mailing list