[strongSwan-dev] HA: sync issue

Emeric POUPON emeric.poupon at stormshield.eu
Thu Mar 5 18:42:09 CET 2015


I am facing another HA problem.
One segment, active/passive configuration.

I add a connection on the active node, "test2". The settings are very similar to the "test1" connection, only the ikelifetime parameter has been changed.
A tunnel is being negotiated successfully. On the passive node, I see things like that:

test1{1}:  ROUTED, TUNNEL
test1{1}:   fd00:120::/64 === fd00:110::/64 
Security Associations (0 up, 1 connecting):
   (unnamed)[1]: CONNECTING, fd56::120[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=FW_120, E=FW_120 at FW.org]...fd56::110[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=FW_110, E=FW_110 at FW.org]
   (unnamed)[1]: IKEv2 SPIs: ff06dd61a2486377_i 1de7b51c6b2966cb_r*
   (unnamed)[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1

If I stop charon on the passive node, the IKE SA and its related CHILD SA get killed on the active node.

I think it's because of this:

METHOD(listener_t, ike_updown, bool,
        private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
        ha_message_t *m;

        if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
        {       /* only sync active IKE_SAs */
                return TRUE;

Since the connection is not known on the passive node, the state is still set to CONNECTING (and not PASSIVE).
Therefore the HA IKE_DELETE message is sent and successfully processed on the active node.

Maybe it would make sense not to install unknown connections on the HA nodes ?
What do you think?

Best Regards,

More information about the Dev mailing list