Feature #2823
Implementing VPN peer failover
Description
Background¶
It is common that a S2S VPN endpoint has a secondary NIC connected to another ISP, having another public IP address. It is desirable that when the endpoint's primary ISP fails, the same S2S tunnel to re-establish on the IP address assigned to the secondary NIC. Cisco supports this feature with the following command.
set peer a.a.a.a b.b.b.b
Proposition¶
Currently, Strongswan accepts only a single peer IP as following
right=a.a.a.a
I suggest it accepts multiple peer IP addresses, just like Cisco does.
right=a.a.a.a, b.b.b.b
The feature is to simply attempt the next peer IP in the "right=" for establishing the tunnel, if the first peer IP is unresponsive to the very first IKE negotiations (or declared dead by DPD when the tunnel was up).
Previous Work¶
This has previously been discussed in https://lists.strongswan.org/pipermail/users/2015-August/008594.html. I am not totally convinced of Noel's answer, he might have misunderstood the requirement. In the common use-case, there is no "cluster" and the tunnel completely goes down; no need to keep anything in sync between parties.
Concerns¶
It would be desirable if a tunnel established on a secondary peer, tears down and re-establishes on the first peer when the first peer becomes responsive to very first IKE negotiations.
Related issues
History
#1 Updated by Scep CAfail about 2 years ago
I would like to work on this and I'd appreciate if you could point me to the appropriate part of the code where the arguments of "right=" are parsed and passed to the function that establishes the connection. Would it be possible for that "connect" function to retrieve feedback of the connection attempt (such as "peer not responding")?
Thanks!
#2 Updated by Tobias Brunner about 2 years ago
- Related to Issue #541: List of servers in client config (Failover) added
#3 Updated by Jean-François Hren about 2 years ago
Hello,
I'm also interested by this feature. I think it should be somehow hooked on the ALERT_RETRANSMIT_SEND_TIMEOUT alert triggering a switch to alternate peers.
Thanks.
#4 Updated by Tobias Brunner about 2 years ago
- Status changed from New to Feedback
I'm also interested by this feature. I think it should be somehow hooked on the ALERT_RETRANSMIT_SEND_TIMEOUT alert triggering a switch to alternate peers.
Sure you can write a plugin that does something like that, or script it via vici/error-notify (either update the config or switch to/initiate an alternative config).