[Openswan Users] ipsec vpn fallback
Ming-Ching Tiew
mingching.tiew at redtone.com
Mon Jun 6 10:18:48 CEST 2005
From: "Paul Wouters" <paul at xelerance.com>
> > What I did is then to force the UDP port 500 IKE to go through the "surviving"
> > network interface card, the IKE negotiation will complete very quickly.
>
> How did you do this? Would you mind sharing your rules/scripts on what you did
> to make this work?
>
I am using a pretty customized environment/distro it will be a long story if I were to post
everything ( and it might not be even relevent to a general distro ) but I figured that
the easiest way to do it via by changing the default route. It's not ideal but it will be
sufficient for a failover environment.
I have outlined the way I did it, if there still interest.
Basically I make heavy use of iptables and iproute2,
1. Add two more routing tables, each default route to different gateway of the
internet link.
2. Add ip rule so that different fwmark selects different routing table.
ip rule add fwmark 5 table first
ip rule add fwmark 7 table second
3. Add a new chain to the mangle table and hook to the mangle OUTPUT,
iptables -t mangle -N ike
iptables -t mangle -A -p udp --dport 500 -j MARK --set-mark 5
iptables -t mangle -j RETURN
iptables -t mangle -A OUTPUT -p udp --dport 500 -j ike
4. Have script which monitors link failure and dynamically change the -set-mark value,
iptables -t mangle -R ike 1 -p udp --dport 500 -j MARK --set-mark 5
or
iptables -t mangle -R ike 1 -p udp --dport 500 -j MARK --set-mark 7
More information about the Users
mailing list