[strongSwan] HA cluster IP works for a limited period of time

Martin Willi martin at strongswan.org
Fri Jun 1 13:49:44 CEST 2012

Hi Wolfgang,

> Once the setting of the virtual IP's on each virtual machine is done (eth0:0),
> We can actually ping that address from the laptop.

Unless the ClusterIP rules are installed, these pings probably use the
real interface MAC address, poisoning the ARP cache on your client.

> Problem is that it stops a few seconds after adding the rule to Iptables,
> which is done by runing the command:

But by the design of ClusterIP, these pings should be sent to the
Cluster MAC address. You should install Cluster IPs and ClusterIP rules
in parallel. 

> While functioning we can see on Wireshark the ESP packets.

I'd try to debug the issue without any IPsec, but with plain ClusterIP.
Double-check that the responsibilities are configured properly, your
pings are using the Cluster MAC and you can switch segment
responsibility between your nodes. If that all works, start strongSwan
and try it with IPsec.


PS: Sending your queries additionally to different strongSwan team
members does not help. We all read the mailing list and give our best to
answer questions.

More information about the Users mailing list