VPN Server list/backup server option

David Woodhouse dwmw2 at infradead.org
Mon Jan 9 09:20:49 EST 2012 

On Mon, 2012-01-09 at 08:34 -0500, Eric Leadbetter wrote:
> Hi,
> 
> I am using openconnect with a VPNC connection on a point-to-point
> network that (by design) is slightly inconsistent. This means that the
> connection to the primary server is lost occasionally. I would like to
> be able to configure openconnect to "fall back" to a secondary server
> when the connection to the primary server is lost, but have not found
> a way to do this. Does OpenConnect support this feature?

Let me start with some background on how the protocol works...

OpenConnect works in two phases. First you fill in some HTTPS forms to
authenticate, at which point you're rewarded by an HTTP cookie that you
use to make the actual connection.

OpenConnect can re-use that cookie, and will automatically reconnect to
the *same* server if it loses the connection. But *only* that server.

Connecting to a second server *isn't* going to give you a seamless
change-over. You'll get a different IP address on the VPN, and all your
existing connections will break (or just time out).

So unless I'm missing something, it sounds like you might as well use a
shell script which *invokes* openconnect repeatedly; trying one server
and then the other until it succeeds. It might look something like this:

#!/bin/bash

SERVER1=xxx
SERVER2=yyy
read -p "Enter VPN username:" VPNUSER
read -s -p "Enter VPN password:" VPNPASS

NEXTTRY=$(($(date +%s) + 60))

while true; do
   for SERVER in xxx yyy; do
     openconnect -u "$VPNUSER" --passwd-on-stdin <<< "$VPNPASS" --script /etc/vpnc/vpc-script $SERVER
   done
   NOW=$(date +%s)
   if [ $NOW -lt $NEXTTRY ]; then
	sleep $(($NEXTTRY - $NOW))
   fi
   NEXTTRY=$(($NOW + 60))
done
 
> If not, an alternative that I have thought of (but not yet tested)
> would be to make simultaneous VPN connections to the primary and
> secondary servers and bond the created tunnel interfaces. Do you think
> this would work?

Not unless there's something very special about the servers, and you
actually get the same IP address from each... and they somehow advertise
the route to that IP address internally according to which server you're
connected to?

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120109/cc153ca2/attachment.bin>

More information about the openconnect-devel mailing list