[strongSwan-dev] ClusterIP and Virtualization

Daniel Palomares palomaresdaniel at gmail.com
Mon May 27 10:39:49 CEST 2013

Hello All,

I'm trying to use one of the targets of iptables called CLUSTERIP with KVM
As strongswan does use CLUSTERIP to offer High Availability, I decided to
ask upon this list.

Our testbed consist of two security gateways (SG1 and SG2) offering HA
features. They are configured as ACTIVE/PASIVE. Similarly to strongswan, we
want the PASIVE SG (SG2) to become ACTIVE when SG1 is not working anymore
(due to errors,overload, maintenance, etc., reasons).

Both SG1 and SG2 are actually two virutal machines (built using KVM).

We are having troubles to configure the simplest scenario, for example:

In SG1:
> ip address add dev eth0   (adds an IP address to eth0)
> iptables -A INPUT -i eth0 -d -j CLUSTERIP --new --hashmode
sourceip --clustermac 01:00:5e:00:00:03 --total-nodes 2 --local-node 1
(creates the iptables rule to assign a cluster MAC address to
> echo "+2" > /proc/net/ipt_CLUSTERIP/ (makes SG1 responsible of
all incoming traffic)

When we try to 'ping' the cluster at, the ping is not reaching the
Virtual Machine. However, when using wireshark, we can see that ICMPs
arrives to the physical interface of the host machine where both Virutal
Machines are hosted (SG1 and SG2). Then, when listening to the bridge
(br0), we can also see the ICMP packets. Unfortunately, when listening to
vnet0 or, we see no ICMP packets.

Does anyone have an idea where the problem is?

We are sure that the configuration works, we tested this with physical
machines and it worked. But when it comes to Virtual Machines, packets are
blocked somewhere.

Thanks you very much for reading my issue,

Daniel Palomares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130527/5bd5d66b/attachment.html>

More information about the Dev mailing list