[Openswan Users] ipsec vpn fallback

Ming-Ching Tiew mingching.tiew at redtone.com
Mon Jun 6 10:18:48 CEST 2005

From: "Paul Wouters" <paul at xelerance.com>

> > What I did is then to force the UDP port 500 IKE to go through the "surviving"
> > network interface card, the IKE negotiation will complete very quickly.
> How did you do this? Would you mind sharing your rules/scripts on what you did
> to make this work?

I am using a pretty customized environment/distro it will be a long story if I were to post
everything ( and it might not be even relevent to a general distro ) but I figured that 
the easiest way to do it via by changing the default route. It's not ideal but it will be 
sufficient for a failover environment.

I have outlined the way I did it, if there still interest.

Basically I make heavy use of iptables and iproute2, 

   1. Add two more routing tables, each default route to different gateway of the
       internet link.

   2. Add ip rule so that different fwmark selects different routing table.
               ip rule add fwmark 5 table first
               ip rule add fwmark 7 table second

   3. Add a new chain to the mangle table and hook to the mangle OUTPUT,

               iptables -t mangle -N ike
               iptables -t mangle -A -p udp --dport 500 -j MARK --set-mark 5
               iptables -t mangle -j RETURN
               iptables -t mangle -A OUTPUT -p udp --dport 500 -j ike

   4. Have script which monitors link failure and dynamically change the -set-mark value,

                iptables -t mangle -R ike 1 -p udp --dport 500 -j MARK --set-mark 5


               iptables -t mangle -R ike 1 -p udp --dport 500 -j MARK --set-mark 7


More information about the Users mailing list