Options for rebuilding OpenSwan box to LibreSwan without downtime?

by Nicolas Pottier   Last Updated May 15, 2019 21:00 PM

This is all in an AWS VPC environment.

We have an old Ubuntu 12.04 machine running OpenSwan which is managing a pile of VPN connections. This has worked well for us thus far, but 12.04 is no longer supported and OpenSwan is EOL so we want to move to 18.04 and LibreSwan (which we understand should be largely compatible).

My question is what are our options for doing this with minimal downtime and without coordination with the other sides of all these connections?

In theory I could just build the box, copy the configs over and flip the virtual IP at some point, but that sounds.. unlikely to work well without large amounts of downtime.

Ideally I'd like some way of routing only one source to the new box at a time and migrate them a little at a time, testing as I go. But I don't know what routing magic I need to do to make this happen either at the VPC or other level. From what I can tell AWS virtual public IPs can only belong to one machine at a time, so not sure how I would route all the traffic from say one of the other gateways to a new box while keeping the rest on the old one.

One simplification is that all private traffic is staying on this host. IE, we aren't routing traffic THROUGH this box, but rather this box is dealing with all that private traffic internally. So I think that's a simplifier.

Surely I can't be the first to run into this, how are ipsec migrations like this done?

Related Questions

Updated September 26, 2018 21:00 PM

Updated June 20, 2018 10:00 AM

Updated November 29, 2017 06:00 AM

Updated September 18, 2017 16:00 PM