[strongSwan-dev] MIB for IKE

krishna chaitanya krishnachaitanya.sanapala at gmail.com
Mon Jul 30 08:22:11 CEST 2012


HI Martin,

I have a requirement where I need to update the status of IKE to the ESP
packet processing in a HA scenario. IKE and ESP processing runs on
different cores. The only means to syncronize IKE and ESP Processing is via
tables where tables updation is done by IKE and tables look ups by ESP
processing. The tables are shared between IKE and ESP.

I could see the ha_message.h in strongswan sending messages to nodes in HA
scenarios but in my case I need to update the tables so the ESP would
timely update this. I don't have any IPC mechnisms to use apart from tables.

So was the reason I posted in my previous message on the chances of an IKE
MIB so I could use the structures to update ESP Processing. But as Andreas
confirmed of no MIB.

Please help me on the list of IKE structures
for ike_keys(),ike_updown(),ike_**rekey(),message(),child_keys()**,child_state_change()
hooks

Thanks,
KC


On Fri, Jul 27, 2012 at 3:39 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Krishna,
>
> strongSwan offers a High Availability Solution based on a Cluster of
> two physical hosts:
>
> http://wiki.strongswan.org/**projects/strongswan/wiki/**HighAvailability<http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability>
>
> With this solution the VPN clients are not aware of the redundant
> hardware. They just connect to a virtual VPN gateway having a constant
> Layer3 IP and Layer2 MAC address. Therefore we don't need RFC 6311
> for synchronisation. The update of ESP sequence numbers is continuously
> done via Linux Cluster IP where both gateways get all ESP packets
> but only half of them are actually processed by each host.
>
> The mirroring of IKE and ESP keys is donevia a proprietary socket
> protocol over a either a dedicated or ESP-encrypted public network
> link between the two gateways. Therefore we provide hooks where
> ESP keying data can be extracted, although not in the form of
> an official SNMP MIB.
>
> For more information on HA please contact Martin Willi.
>
> Best regards
>
> Andreas
>
>
> On 07/27/2012 08:18 AM, krishna chaitanya wrote:
>
>> Hi Team,
>>
>> On more query on the above request . Does strongswan support rfc 6027
>> and rfc 6311 . Thanks
>>
>> On Thu, Jul 26, 2012 at 6:59 PM, krishna chaitanya
>> <krishnachaitanya.sanapala@**gmail.com<krishnachaitanya.sanapala at gmail.com>
>> <mailto:krishnachaitanya.**sanapala at gmail.com<krishnachaitanya.sanapala at gmail.com>>>
>> wrote:
>>
>>     Hi Team,
>>
>>     Does strongswan support any kind of MIB(Tables/Datastructures) for
>>     *IKE monitoring*, reason being to update the ESP processing in case
>>     of *High Availability .*
>>     *
>>
>>     *
>>     I could see hooks in the form
>>     of ike_keys(),ike_updown(),ike_**rekey(),message(),child_keys()**
>> ,child_state_change()
>>     but does strongswan maintain any MIB's/Tables.
>>
>>     *I have a requirement where have to update  ESP packet processing
>>     via Tables and not by any IPC mechanism. *
>>
>>     Please advise.
>>
>>     Thanks,
>>     KC
>>
> ==============================**==============================**==========
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120730/3565eec5/attachment.html>


More information about the Dev mailing list