[strongSwan-dev] HA: sync issue
Emeric POUPON
emeric.poupon at stormshield.eu
Thu Mar 5 18:42:09 CET 2015
Hello,
I am facing another HA problem.
One segment, active/passive configuration.
I add a connection on the active node, "test2". The settings are very similar to the "test1" connection, only the ikelifetime parameter has been changed.
A tunnel is being negotiated successfully. On the passive node, I see things like that:
test1{1}: ROUTED, TUNNEL
test1{1}: fd00:120::/64 192.168.120.0/24 === fd00:110::/64 192.168.110.0/24
Security Associations (0 up, 1 connecting):
(unnamed)[1]: CONNECTING, fd56::120[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=FW_120, E=FW_120 at FW.org]...fd56::110[C=AT, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=FW_110, E=FW_110 at FW.org]
(unnamed)[1]: IKEv2 SPIs: ff06dd61a2486377_i 1de7b51c6b2966cb_r*
(unnamed)[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1
If I stop charon on the passive node, the IKE SA and its related CHILD SA get killed on the active node.
I think it's because of this:
src/libcharon/plugins/ha/ha_ike.c:
METHOD(listener_t, ike_updown, bool,
private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
{
ha_message_t *m;
if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
{ /* only sync active IKE_SAs */
return TRUE;
}
...
Since the connection is not known on the passive node, the state is still set to CONNECTING (and not PASSIVE).
Therefore the HA IKE_DELETE message is sent and successfully processed on the active node.
Maybe it would make sense not to install unknown connections on the HA nodes ?
What do you think?
Best Regards,
More information about the Dev
mailing list