[strongSwan] Automated test ha/both-active fails
martin at strongswan.org
Fri Jun 29 11:47:26 CEST 2012
> Is this the new feature of High Availability for IPsec RFC-6311 ?
Our HA solution works different and is not based on RFC 6311. In fact,
we don't need any additional protocol support in IKEv2 between server
and client, all the synchronization is done between the cluster nodes
> Does this patch generate IKE exchanges to increases IPsec Counters?
We use ClusterIP to keep the sequence counters up to date, no IKE
exchange is involved. This has the big advantage that it works with any
> I thought that the first patches didn't increase the IPsec replay
> counters. Is this a new feature in ha3.3? Or since when did you
> developed this capability?
One issue that might arise with the ClusterIP sequence update is that we
might miss some packets due to packet loss. This can be problematic for
outgoing packets, as the peer might reject a few packets after failover,
As a work-around, I've implemented a "failover advance" mechanism with
these last two commits: After a failover, we advance the replay counter
for outgoing messages by a certain window. This will make sure we don't
use sequence numbers for packets already processed by the responder.
Doesn't change anything fundamental, but certainly can improve
connection reliability after a failover.
More information about the Users