[strongSwan] Some questions about HA plugin

Martin Willi martin at strongswan.org
Mon Dec 3 11:01:20 CET 2012


> what is type of heartbeat packet? I mean when I use tcpdump, what
> should I see?

Heartbeats use UDP packets to port 4510, equal to those sent for state

> I asked this because I think in my test, heartbeats were
> not sent. If the heartbeats were not sent, how can I find the problem?

By default heartbeats are enabled, but this can be changed using the
"monitor" options in the ha plugin subsection of strongswan.conf. Also
have a look at the heartbeat_delay and heartbeat_timeout options.

> Is it really an active-active HA or it is just for load sharing?

As said, it is pseudo-active-active. Each CHILD_SA is handled
active-passive, but with multiple CHILD_SAs each node is handling some
CHILD_SAs actively, some passively, sharing load. 

> if the first part is correct, what happens if the link that heartbeats
> are sent over it goes down? Which of the nodes is handling the
> traffic?

If no heartbeats are received, each node has to assume that the other
node died. Both then take over responsibility for the tunnels. This gets
problematic with IPsec sequence numbers, and you'll end up with many
doubled inbound packets and conflicting outbound packets, likely to kill
any connection over it.

It is therefore recommended to use a simple and direct link for
heartbeat and synchronization, and/or have redundant equipment for this


More information about the Users mailing list