Implementing VPN peer failover
It is common that a S2S VPN endpoint has a secondary NIC connected to another ISP, having another public IP address. It is desirable that when the endpoint's primary ISP fails, the same S2S tunnel to re-establish on the IP address assigned to the secondary NIC. Cisco supports this feature with the following command.
set peer a.a.a.a b.b.b.b
Currently, Strongswan accepts only a single peer IP as following
I suggest it accepts multiple peer IP addresses, just like Cisco does.
The feature is to simply attempt the next peer IP in the "right=" for establishing the tunnel, if the first peer IP is unresponsive to the very first IKE negotiations (or declared dead by DPD when the tunnel was up).
This has previously been discussed in https://lists.strongswan.org/pipermail/users/2015-August/008594.html. I am not totally convinced of Noel's answer, he might have misunderstood the requirement. In the common use-case, there is no "cluster" and the tunnel completely goes down; no need to keep anything in sync between parties.
It would be desirable if a tunnel established on a secondary peer, tears down and re-establishes on the first peer when the first peer becomes responsive to very first IKE negotiations.
#1 Updated by Scep CAfail about 2 years ago
I would like to work on this and I'd appreciate if you could point me to the appropriate part of the code where the arguments of "right=" are parsed and passed to the function that establishes the connection. Would it be possible for that "connect" function to retrieve feedback of the connection attempt (such as "peer not responding")?
#4 Updated by Tobias Brunner about 2 years ago
- Status changed from New to Feedback
I'm also interested by this feature. I think it should be somehow hooked on the ALERT_RETRANSMIT_SEND_TIMEOUT alert triggering a switch to alternate peers.