Thursday, May 30, 2024

Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover

Thank you all for your replies.

Actually, I did not know that providing seamless switching VPN solutions is so problematic. If it can't be done in a simple way, then it doesn't have to be seamless at any cost. Users will manually reconnect to this VPN when CARP does switchover and there will be no drama.

I am currently using IPSEC/L2TP, but I do not insist on switching to wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't cope with updating it to get a VPN back to work. It was a pandemic, and everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to allow users to work remotely again, and so it remains to this day. Maybe it's time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of CARP deployment.

All I need is a highly secure VPN solution for win10/win11/mac. I have a dozen very non-technical remote users and this VPN just has to always work when they click CONNECT. That's what I got with IPSEC/L2TP. I also need to assign to users static IP addresses per user - if I remember that IKEv2 assigned to users random addresses from the entire VPN pool and I couldn't cope with IP/user assignment.

Any suggestions - what to choose and how to configure it will be welcome. Replication is therefore not a priority.

Radek

On Thu, 30 May 2024 08:23:35 -0000 (UTC)
Stuart Henderson <stu.lists@spacehopper.org> wrote:

> On 2024-05-29, Vitaliy Makkoveev <otto@bsdbox.dev> wrote:
> > He wants replication. This means both wireguard "servers" know the client
> > state. No client reconnection at failure, no delay, seamless migration
> > from failed node to the backup. Something like sasyncd(8), but for
> > npppd(8) or wg(4).
>
> wireguard doesn't have a "reconnection" in the way IKEv2+MSCHAP or
> IKE+L2TP do, the user doesn't have to do anything, so as long as peers
> are configured on all carp members it should be fairly seamless.
>
> It doesn't care about IP addresses as long as one end can get packets
> through to the other's last known address.
>
> (Reason for ifstated would be to stop any carp backup machines from
> trying to send wireguard packets and confusing things.)
>
>

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)