[strongSwan] Current Status of High Availability Extension
Martin Willi
martin at strongswan.org
Wed Sep 17 13:54:54 CEST 2014
Hi Thomas,
> Are the patches included in the mainstream kernel?
No. As these changes introduce new Netfilter hooks and some major
changes, I expect that is a lot of work to upstream these patches. The
latest patchset based on Linux 3.15 is available at [1].
Not sure if we should upstream these changes as they are, or it would be
better if we re-implement the functionality in the Netfilter "cluster"
match, which could support IPv6.
> Are the changes in strongSwan mature and actively tested and used in
> real-world scenarios?
I know of a productive setup that uses the HA plugin for IKEv2
road-warrior connections. IKEv1 connections are not that well tested.
One major open issue is that the synchronization protocol currently runs
on UDP, which is problematic for unreliable sync links or setups with
many connections. Refer to [2] for details.
Regards
Martin
[1]http://git.strongswan.org/?p=linux-dumm.git;a=shortlog;h=refs/heads/ha-3.15
[2]https://lists.strongswan.org/pipermail/dev/2014-August/001048.html
More information about the Users
mailing list