[strongSwan] Current Status of High Availability Extension

Martin Willi martin at strongswan.org
Wed Sep 17 15:36:41 CEST 2014

> I am currently not sure how to setup the LAN side of the IPSec Gateway.
> I have defined a virtual IP on the inside network similar to the
> virtual ip on the outside network, except that i defined a --local-node
> 0 and a --local-node 1.

The configured --local-node option does not matter, as strongSwan
manages CLUSTERIP segment responsibility automatically based on node
availability. Just set up the internal virtual IP the same way you
created the external one. Make sure you have the same multicast MAC on
both nodes for the external, and another distinct pair of multicast MACs
for the internal address. Also your internal network must send the
packets to both nodes with that multicast MAC, but this is usually not a

> But, how does CLUSTERIP know that it needs to process the packages?

For packets arriving at your internal virtual IP coming from the
internal network, both nodes have a matching IPsec policy. After that
has been found, the CLUSTERIP modules creates a hash over the associated
IPsec SA state; and only the node responsible for the resulting hash
will further process the packet. The other node just drops it.

Of course you also have to make sure your internal gateway for IPsec
routes is your internal shared virtual IP.


More information about the Users mailing list