[strongSwan-dev] HA Plugin

Avinoam Meir avinoam at google.com
Tue Dec 15 11:25:37 CET 2015 

Hello Strongswan developers,

I have two questions about HA plugin

1)
In the wiki
<https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability> written
the HA plugin supports  in the IKEv2 daemon  . However in the code and from
my experiments it seems that also IKEv1 supported.
Is the documentation needs update or IKEv1 not fully supported?

2)
if I understand correctly  in every sent packet , the plugin syncs only the
MID , but not the packet content (I mean task_manager->initiating.packets
<https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/task_manager_v2.c#L122>
and  task_manager->responding.packets
<https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/task_manager_v2.c#L96>
)

I think  there are few cases where the IKE state synchronization will fail
without  syncing the latest sent packet.
For example:

   1. The active VPN received request from peer  and tried to send
   response, but the machine crashed or there was problem in the network so
   the message wasn't sent, while the inactive VPN got HA message with the new
   MID. When the backing VPN will be activate the peer retransmit the request
   but because the VPN doesn't have the latest packet  it drops the retransmit
   request (see here
   <https://github.com/strongswan/strongswan/blob/08afc33e5259399a682bb62ef253b3155e68461e/src/libcharon/sa/ikev2/task_manager_v2.c#L1341>)
   and the IKE SA at the end will reset.
   2. The active VPN tried to initiate exchange with the peer but the
   machine crashed or there was problem in network so the message wasn't sent
   ,while the inactive VPN got HA message with the new MID. When the backing
   VPN will  be activated it will try to send new messages but its MID of the
   our vpn now equal MID+1 of the peer VPN , and at the end the IKE SA will
   reset.

It seems that syncing the latest packets will solve such cases.
What do you think?

I would appreciate your response,
Thank you,
Avinoam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20151215/61c9c042/attachment.html>

More information about the Dev mailing list