[Openswan Users] OpenSwan and high availability

Norbert Wegener nw at sbs.de
Tue Mar 28 16:12:23 CEST 2006

We use dns for this purpose. With a relative simple setup we have had 
100% reliability for more than two years.
Three gateways in three different locations, each of them connected to 
the internet via different providers.
The clients reach the gateways via their dns names.
All authoritative nameserver for the domain run only on those three 
All the gateways resolve the names to their specific ipaddress.
Every gateway does various checkst:  whether it is still connected to 
the internet/intranet, dns resolution works, ippool availability etc.
When it discovers an error, the named is stopped. Because of ttls of 100 
seconds, in case of a failure no dns cache has information about that 
addressresolution after that period.
As mentioned, this worked reliable for us for a long period.


Laurent CARON wrote:
> Hi,
> I was wondering about the best way to achieve the following goal:
> - Have a high availability VPN.
> Here is my setup
> 2 different locations connected through an openswan on the gateway of 
> each site.
> The gateway of each site has 2 different internet connections, 
> allowing us to have one connection down without too much trouble.
> What I'd like to do basically is to achieve the same goal even if a 
> server goes down.
> Since i have 2 servers hooked to the internet on each location, this 
> won't be a problem.
> The most "obvious" way would be to use heartbeat to detect if a node 
> is down.
> I'm wondering if it is possible (and how) to achieve the same goal 
> only using openswan, by having two active tunnels at the same time for 
> example.
> Thanks
> Laurent
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list