[strongSwan] Some questions about HA plugin
Ali Masoudi
masoudi1983 at gmail.com
Tue Dec 4 14:48:34 CET 2012
Thank you so much Martin.
Best wishes
On Mon, Dec 3, 2012 at 1:31 PM, Martin Willi <martin at strongswan.org> wrote:
> Hi,
>
>> what is type of heartbeat packet? I mean when I use tcpdump, what
>> should I see?
>
> Heartbeats use UDP packets to port 4510, equal to those sent for state
> synchronization.
>
>> I asked this because I think in my test, heartbeats were
>> not sent. If the heartbeats were not sent, how can I find the problem?
>
> By default heartbeats are enabled, but this can be changed using the
> "monitor" options in the ha plugin subsection of strongswan.conf. Also
> have a look at the heartbeat_delay and heartbeat_timeout options.
>
>> Is it really an active-active HA or it is just for load sharing?
>
> As said, it is pseudo-active-active. Each CHILD_SA is handled
> active-passive, but with multiple CHILD_SAs each node is handling some
> CHILD_SAs actively, some passively, sharing load.
>
>> if the first part is correct, what happens if the link that heartbeats
>> are sent over it goes down? Which of the nodes is handling the
>> traffic?
>
> If no heartbeats are received, each node has to assume that the other
> node died. Both then take over responsibility for the tunnels. This gets
> problematic with IPsec sequence numbers, and you'll end up with many
> doubled inbound packets and conflicting outbound packets, likely to kill
> any connection over it.
>
> It is therefore recommended to use a simple and direct link for
> heartbeat and synchronization, and/or have redundant equipment for this
> link.
>
> Regards
> Martin
>
More information about the Users
mailing list