[Openswan Users] Revert to non encrypted traffic if IPSEC down

Mike - st257 silvertip257 at gmail.com
Fri Apr 15 11:44:30 EDT 2016


On Wed, Apr 13, 2016 at 2:31 PM, John Whiteside <
john.whiteside at orionhealth.com> wrote:

> Its due to high availability requirements.  Its just a backup if the
> softwaregoes down on one node
>

You could also set up both IPSec and OpenVPN tunnels and run a routing
protocol over them to prefer one (or load balance) that way if one dies
your routing protocol keeps things reachable. And they're both VPNs so your
data is still confidential.

Broadcast and multicast traffic over IPSec won't work. Though there at
least 2 options: unless tunneled in GRE ... so that's GRE within IPSec _OR_
set your routing protocol to use unicast instead of multicast.
https://www.centos.org/forums/viewtopic.php?f=17&t=42315
http://openmaniak.com/openvpn_routing.php

If you truly want plain text, my GRE tunnel suggestion still applies too
(along with a routing protocol).
https://www.linickx.com/gre-example-for-centosrhel
http://lartc.org/howto/lartc.tunnel.gre.html



>
> From: Mike - st257 <silvertip257 at gmail.com>
> Date: Wednesday, 13 April 2016 6:08 pm
> To: John Whiteside <john.whiteside at orionhealth.com>, "
> Users at lists.openswan.org" <users at lists.openswan.org>
> Subject: Re: [Openswan Users] Revert to non encrypted traffic if IPSEC
> down
>
>
>
> On Wed, Apr 13, 2016 at 4:34 AM, John Whiteside <
> john.whiteside at orionhealth.com> wrote:
>
>> Hi,
>>
>> Thanks for the response - unfortunately I¹m not sure what you mean - I
>> have been testing this in AWS on RHEL6.6 with no firewalls or filtering
>> between the nodes.  If I run openswan on one node and not the other, no
>> comms are possible between the nodes.  Is it possible to configure
>> openswan to revert to non encrypted comms if one nodes software is down?
>>
>
> I'm troubled by this ... why would you want to do this?!
>
> I guess if you want to, you could set up a GRE tunnel. On that GRE and
> IPSec tunnel run something to monitor connectivity and then fail over to
> the one that's working (a routing protocol would fit there).
>
> BUT I'd recommend ditching any plain text communication all together.
> In a world with wiretapping and so forth, plain text is strongly
> discouraged.
>
>
>>
>>
>> Thanks
>>
>>
>>
>> On 9/04/16 9:15 am, "Daniel Cave" <dan.cave at me.com> wrote:
>>
>> >Just allow ip connections from each host on the respective opposite
>> >firewalls  if you are using static ips that is
>> >
>> >Sent from my iPhone
>> >
>> >> On 8 Apr 2016, at 15:06, John Whiteside
>> >><john.whiteside at orionhealth.com> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I¹m new to configuring openswan and if I have configured IPSEC between
>> >>two nodes, and one node is not running the openswan software, it seems
>> >>to block all traffic between the two nodes.  Whilst this seems sensible
>> >>I¹d like to know if its possible to configure the connections so that if
>> >>one node is not running openswan, it defaults to allowing non tunneled
>> >>communication.
>> >>
>> >> Many thanks,
>> >>
>> >> John
>> >> _______________________________________________
>> >> Users at lists.openswan.org
>> >> https://lists.openswan.org/mailman/listinfo/users
>> >> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >> Building and Integrating Virtual Private Networks with Openswan:
>> >>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>
> --
> ---~~.~~---
> Mike
> //  SilverTip257  //
>



-- 
---~~.~~---
Mike
//  SilverTip257  //
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160415/64a11516/attachment.html>


More information about the Users mailing list