[strongSwan] Redundant network connections - messed up SAs

Dahlberg, David david.dahlberg at fkie.fraunhofer.de
Fri Nov 29 09:49:38 CET 2013 

Am Donnerstag, den 28.11.2013, 21:14 +0100 schrieb Steffen Heise:

Regarding your suggestion I must say that I don't know exactly what you
> mean. 
> 
Right. Additionally you'll get network redundancy without the need to
query two IP addresses on the client side.

   10.1.0.0/24
   --+------+-------+--------+-- router 1 --_("""""
     |.1    |.2     |.3      |.4    |     _(
   ALICE   BOB   CHARLIE   DAVE     |    (    inet
     |.1    |.2     |.3      |.4    |     "(
   --+------+-------+--------+-- router 2 --"(____
   10.2.0.0/24

Alice is 10.1.0.1/24 on if 1, 10.2.0.1/24 on if 2 and 10.0.0.1/32 on lo.
Bob   is 10.1.0.2/24 on if 1, 10.2.0.2/24 on if 2 and 10.0.0.2/32 on lo.
                                 ("/64" and "/128" accordingly for IPv6)

Alice an Bob are then reachable as 10.0.0.(1|2) on both networks from
all machines, including machines from the WAN.

OTOH this setup requires that you are able to control the routing of the
network, of course. You should deploy a routing protocol at least on
ALICE, BOB and both routers. Static routes on the routers may or may not
work depending on type of media and type of network failure that you are
expecting.

> Adding a second IP address to the lo interface does make the %any
> parameter obsolete. Or maybe I'm wrong ... dunno :-)

Right. "left" will then be "10.0.0.(1|2)" for "(foo|bar)-in". For
"-out", the interface addresses will be used, unless configured
otherwise in the applications.

As I said, there should be solution which better fits your original
problem statement. This on the one hand "working around" your original
problem, on the other hand it may provide you a more stable network
environment. Additionally will be much easier manageable as you do not
have to consider always the full matrix of connection possibilities.
"First try network A, but if it fails try network B" may increase the
network latency and timeouts significantly (as may be observed at the
moment with the IPv4/v6 transition) and may be a pain to implement in a
lot of applications.

Regards,

	David


PS: As this discussion of network design went be a bit off-topic, please
consider replying per private mail, if it is not really about StrongSWAN
any more.

-- 
David Dahlberg     

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel:
+49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany        | Fax: +49-228-856277

More information about the Users mailing list