[Openswan Users] Fail over IP + Openswan: Building and Integrating Virtual Private Networks

Igor Widlinski igor.widlinski at eigendev.com
Sat Oct 11 16:16:03 EDT 2008

Hey Ken,

Nice to meet you, and thanks for the reply.

I am going to talk to the programmers here to see if they can come up with
something, otherwise just gotta think it through and come up with a
script. Fortunately the server/client on the other side of VPN does use
DPD and we've got that working. It is pretty simple actually once both
sides support it.

I wonder why there is only couple of options for when dead peer is
detected.. ie hold, restart... It would be nice if we could just specify a
scrip to execute when a peer is detected dead.
ie. dpdaction=/path/to/script.

Also we ended up buying the book, and as you said chapter 11 does not
solve the above issue, but the book is still an awesome resource to help
to get openswan going. We've added extra parameters to our config, as well
as learned more technical insight into how ipsec with openswan works.


> Hi,
> I wrote that chapter - and as much as I'd like you to buy it, if
> that's the only reason, it won't help your case.
> You are correct - you can't failover with just a setting in the config
> file - you'd need to likely use DPD (hopefully the peer supports it)
> and a script to watch to log file for 'declaring Peer Dead' messages,
> at which point you'd want to initiate to the secondary server.
> Ken
> On 7-Oct-08, at 4:59 PM, Igor Widlinski wrote:
>> Hi All,
>> We've managed to set up vpn with openswan and it works pretty well.
>> Now
>> the next step is to set up a fail over connection. I've done some
>> research and was unsuccessful at finding a solution to this problem.
>> Basically our client has choice to connect to 2 different vpn servers
>> (primary and secondary). Each server provides 2 subnets (these subnets
>> are the same on primary and secondary). When primary goes down, the
>> secondary vpn connection should be brought up by us.
>> I believe there is no way to do the fail over by simply adding ip to
>> the
>> configuration file.
>> Has anybody found a solution to this dilema? Maybe you've got some
>> useful resource and could share (a how to, webpage, blog...).
>> Also I found this book "Openswan: Building and Integrating Virtual
>> Private Networks" .
>> Chapter 11 is: "*Chapter 11* discusses the advanced use of Openswan.
>> It
>> discusses how to setup a proper fail-over VPN server with Openswan,
>> and
>> discusses large enterprise deployments bottlenecks,  as well as how to
>> deal with BGP and OSPF using IPsec and Openswan."
>> Which is something that could be useful in this situation. Basically
>> if
>> you've read the book, will this book be helpful in solving this issue?
>> $30 saved is $30 earned.. :-) .
>> Thanks !
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list