[strongSwan-dev] High Availability

Martin Willi martin at strongswan.org
Fri Apr 22 09:53:07 CEST 2011

Hi Daniel,

> In the other hand, I don't get why a HA_IKE_ADD synchronization type
> message would be generated from a "ike_keys" listener?  Could someone
> help me on this? 

We follow the IKEv2 protocol relatively strict to synchronize IKE_SAs,
we synchronize the information as soon as we get it. This allows us to
keep as little additional state as possible for synchronization, and it
was relatively easy to implement into the existing code base. 

The HA_IKE_ADD messages is triggered during the IKE_SA_INIT exchange,
where the key material is generated. This won't synchronize a complete
IKE_SA yet, just what we get during IKE_SA_INIT. After establishment, we
pass all the remaining state using HA_IKE_UPDATE.

> So I'm working on the transfer of a Security Association from one node
> to another, for achieving this I'm taking ideas from the ha_plugin of
> course. 
> My goal is not to synchronize every SA on a cluster but to take a SA
> whenever I want and then been able to install it anywhere else. 

We explicitly synchronize only basic information for kernel level SAs,
but not the sequence numbers. They are moving just to fast if you have
traffic on the tunnel. If a node fails and you reuse the sequence
numbers from a single second ago, your outgoing sequence numbers are
already outdated and your traffic gets dropped. Therefore we use our
extended ClusterIP functionality to keep sequence numbers in sync.

Best regards

More information about the Dev mailing list