[strongSwan] VPN Gateway Failover

Noel Kuntze noel at familie-kuntze.de
Thu Aug 6 05:03:56 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cody,

strongSwan doesn't support active-passive HA, only active-active. The reason is,
that ESP sequence numbers move too fast to synchronize in user space, so every member
of the cluster needs to get each ESP packet to keep the sequence number
status of the SAs in sync with the other side. strongSwan
also doesn't have any provisions to automaticly start another conn, if one conn fails
or to connect to a different IP, if the former connection failed.
Maybe you can build something with pacemaker that is of general use
for such scenarios, instead of writing a script.

What use do you intend for two redundant gateways (obviously in the same "place" or
logical network), which can't reach each otherin any way? I'm sure
you mean that they won't be in the same layer two network on the WAN side all
the time, but they surely will be on the LAN.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.08.2015 um 19:49 schrieb Cody Jarrett:
> Hi All,
> I'm looking into testing a solution to replace a setup involving Cisco ASA's providing VPN connectivity. The main requirement that has to be kept is having VPN failover (Active/Standy). On the head end ASA I define a peer list like "crypto map outside_map 1 set peer 100.1.1.1 200.2.2.2" where it will take a list of peers. If dead peer detection reports a peer as down, it will connect to the next peer.
>
> What is the most elegant way to configure similar functionality with Strongswan? For an example setup, a remote site would have two VPN gateways (each with own internet connection) with a common subnet behind them (also using SNAT here). I have the setup working so long as there is just one remote peer up at a time.
>
> From reviewing list emails and documentation, I understand the linux kernel can't handle matching IPsec policies at the head end. I've done a few tests using marks but I'm not sure that's the right method here. I've considered looking into making a custom updown script but wanted to see if there was anything else available before I started down that path. Also, I can't use clusterIP at the remote sites because the VPN gateways won't always be on the same networks (won't be able to reach each other directly).
>
> I have attached a diagram showing a lab setup using Centos 7 machines. Note in the diagram the lab setup has a layer 2 network between sites, although the end result would involve different layer 3 paths between sites. Image also available at http://i.imgur.com/oAOyxOV.jpg
>
> Thank you for any input and advice!
>
> conn %default
>     keyexchange=ikev2
>     ike=aes128-sha1-modp1024!
>     esp=aes128-sha1-modp1024!
>     type=tunnel
>     authby=secret
>     mobike=no
>     dpdaction=clear
>     dpddelay=10s
>     dpdtimeout=30s
>
> conn PRI-RTR
>     leftid=192.168.56.1
>     left=192.168.56.1
>     leftsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>     right=192.168.56.10
>     rightsubnet=10.80.80.0/24 <http://10.80.80.0/24>
>     auto=start
>
> conn SEC-RTR
>     leftid=192.168.56.1
>     left=192.168.56.1
>     leftsubnet=10.0.0.0/24 <http://10.0.0.0/24>
>     right=192.168.56.20
>     rightsubnet=10.80.80.0/24 <http://10.80.80.0/24>
>     auto=start
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIbBAEBCAAGBQJVws6aAAoJEDg5KY9j7GZYSWIP9A6u2ZiQsOI0IOUPc9DwloY4
2a6gm3VdJx01sQV7WYHwvgJTd+KDZ3HwLxsZ31vmxcKJXLU5yi9JzN6RY7i2pClZ
A5RhRd2oTTLjnWQ4rEjYfRCVCEqpMMyfJZRMQYtDuhrKR04sRQEjD/sQZmk6WMRB
gsumR0Pn7s5GOgHxp62X3f00W3OZ6QsbFSIygl/UY/l8bLKyHHdy3Fk7lcZh8uYO
zl3ZBULspmnkr4QqAOt6DsD+lCxs/hS+yhbOkZlI7okXZIys0X1d5rg2PNGOeKLm
HLiAyzNPGCCToTXliOUQXRqrfCNk5d6+0LyvNYM+KZKJPHiFEG5wy9dYdoP8fEx9
XvWdrmUlrONq0913TcznJlsn0CwUUcBYEE+Ii32XL05nTrnJygM/4ndFbkCQtA6n
iNoyXBvkuEsBm/NWmRaSu31+yOOI0BijzE26ropnyLo9hhwSXpYVhErMg+uCTfNh
WyF3HBcvyXiC9308o6Quv3/7+CKB8LTMqVHvp3+6aC6YXa/V5QyPrx2ngD8qlkyX
UIGeKupGmfzfDEtK9FUcCK2hWkq4+nev2wC4eFnuYTXG8OzIiQ7ibCHGC/ART/Ao
/Smhiu/HzyiDR7evEKfWh2ZLg8VkVQ8EYWOMVpLdzyp1p/oTU/iciJ/nYjADlxDs
izAUQgVmDiKRErd2Fcs=
=IODO
-----END PGP SIGNATURE-----

More information about the Users mailing list