[strongSwan] Current Status of High Availability Extension
emeric.poupon at stormshield.eu
Wed Sep 17 17:06:59 CEST 2014
I have some doubts about this ClusterIP method in heavy load balancing environments.
A node may drop packets before it can process them (heavy load, network errors). This leads to outgoing replay counters synchronization problems between nodes.
What do you think?
----- Mail original -----
De: "Martin Willi" <martin at strongswan.org>
À: "Thomas Stinner" <Thomas.Stinner at schweickertgruppe.de>
Cc: users at lists.strongswan.org
Envoyé: Mercredi 17 Septembre 2014 15:36:41
Objet: Re: [strongSwan] Current Status of High Availability Extension
> I am currently not sure how to setup the LAN side of the IPSec Gateway.
> I have defined a virtual IP on the inside network similar to the
> virtual ip on the outside network, except that i defined a --local-node
> 0 and a --local-node 1.
The configured --local-node option does not matter, as strongSwan
manages CLUSTERIP segment responsibility automatically based on node
availability. Just set up the internal virtual IP the same way you
created the external one. Make sure you have the same multicast MAC on
both nodes for the external, and another distinct pair of multicast MACs
for the internal address. Also your internal network must send the
packets to both nodes with that multicast MAC, but this is usually not a
> But, how does CLUSTERIP know that it needs to process the packages?
For packets arriving at your internal virtual IP coming from the
internal network, both nodes have a matching IPsec policy. After that
has been found, the CLUSTERIP modules creates a hash over the associated
IPsec SA state; and only the node responsible for the resulting hash
will further process the packet. The other node just drops it.
Of course you also have to make sure your internal gateway for IPsec
routes is your internal shared virtual IP.
Users mailing list
Users at lists.strongswan.org
More information about the Users