How can we configure Linux/strongswan to advertise remote VPN networks (when established) via RIP
Posted on 2009-02-18
We have a core router (with load balancer functionality) with two ethernet connections to two strongswan based VPN concentrators. The core router accepts RIP advertised routes.
How can we configure the Linux VPN concentrators to advertise established strongswan VPN's via RIP?
Example; the two strongswan VPN concentrators each have a VPN to the same remote network (e.g. 192.168.10.0/24). When the VPN's to 192.168.10.0/24 (one on each strongswan concentrator) are up, all is well. The core router randomly establishes sessions to the remote network via either one or the other.
However, when the VPN fails on only the second strongswan VPN concentrator, for example due to an ISP failure etc, only half of any new sessions will work as half get sent via the strongswan concentrator with an established VPN and the other half get sent via the strongswan concentrator which does not have a working VPN to the remote subnet.
The solution is surely to utilise dynamic routing. But how?
For example, as the VPN's on each strongswan concentrator establish they could then advertise that they each have a route to 192.168.10.0/24 respectively.
Then if the VPN fails on one of the concentrators, it could stop advertising that it has a route to 192.168.10.0/24 resulting in the core router removing the now invalid route and sending all traffic to 192.168.10.0/24 via the remaining working concentrator.
When NETKEY based freeswan variations establish VPN's the routes are 'internal', how can I 'export' these VPN based routes such that RIP can then in turn advertise that the box can provide access to the remote VPN connected network? Additionally when the VPN goes down how can I then have RIP stop advertising the remote VPN network.
This is such an incredibly useful and obvious requirement there must be a way of achieving this?
Thank you in advance.