[strongSwan] Automated test ha/both-active fails
Martin Willi
martin at strongswan.org
Fri Jun 29 11:47:26 CEST 2012
Daniel,
> Is this the new feature of High Availability for IPsec RFC-6311 ?
Our HA solution works different and is not based on RFC 6311. In fact,
we don't need any additional protocol support in IKEv2 between server
and client, all the synchronization is done between the cluster nodes
directly.
> Does this patch generate IKE exchanges to increases IPsec Counters?
We use ClusterIP to keep the sequence counters up to date, no IKE
exchange is involved. This has the big advantage that it works with any
IKEv2 client.
> I thought that the first patches didn't increase the IPsec replay
> counters. Is this a new feature in ha3.3? Or since when did you
> developed this capability?
One issue that might arise with the ClusterIP sequence update is that we
might miss some packets due to packet loss. This can be problematic for
outgoing packets, as the peer might reject a few packets after failover,
breaking connections.
As a work-around, I've implemented a "failover advance" mechanism with
these last two commits: After a failover, we advance the replay counter
for outgoing messages by a certain window. This will make sure we don't
use sequence numbers for packets already processed by the responder.
Doesn't change anything fundamental, but certainly can improve
connection reliability after a failover.
Regards
Martin
More information about the Users
mailing list