Background¶

It is common that a S2S VPN endpoint has a secondary NIC connected to another ISP, having another public IP address. It is desirable that when the endpoint's primary ISP fails, the same S2S tunnel to re-establish on the IP address assigned to the secondary NIC. Cisco supports this feature with the following command.

set peer a.a.a.a b.b.b.b

Proposition¶

Currently, Strongswan accepts only a single peer IP as following

right=a.a.a.a

I suggest it accepts multiple peer IP addresses, just like Cisco does.

right=a.a.a.a, b.b.b.b

The feature is to simply attempt the next peer IP in the "right=" for establishing the tunnel, if the first peer IP is unresponsive to the very first IKE negotiations (or declared dead by DPD when the tunnel was up).

Previous Work¶

This has previously been discussed in https://lists.strongswan.org/pipermail/users/2015-August/008594.html. I am not totally convinced of Noel's answer, he might have misunderstood the requirement. In the common use-case, there is no "cluster" and the tunnel completely goes down; no need to keep anything in sync between parties.

Concerns¶

It would be desirable if a tunnel established on a secondary peer, tears down and re-establishes on the first peer when the first peer becomes responsive to very first IKE negotiations.