[strongSwan] High availability configuration

unite unite at openmailbox.org
Fri Feb 20 16:04:40 CET 2015

Hi guys!

I have a couple of questions regarding stronswan HA configuration.

I have the following topology:
I have two debain wheezy nodes running the 5.2.1 strongswan installed 
from backports and 3.16 kernel also installed from wheezy backports. 
Here is the part of "ipsec statusall" ouput:

ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 
3.16.0-0.bpo.4-amd64, x86_64)

My two nodes receive routes from 2 ISPs using bgp. So both nodes are 
running quagga and ISP's router is configured to operate with two 
neighbors in my AS. The addressing between my external interfaces and 
the first ISPs gateway (on which BGP relations are held) is for example 
( - ISP gateway, - my cluster node1, - node2). Addressing for the second let's assume is in net. My AS is bound to net for example and I 
have for example vlan 50 which contains these addresses.

So, for maximum reachability, I would like to configure strongswan to 
use the source ip from my AS net, for example -, so all tunnels 
would be initiated from this IP and even if one ISP fails my tunnels are 
still reacheble. However, is that possible to configure strongswan in HA 
mode using such a configuration? So, I see two possible ways how it 
theoretically might work:

1) in active/standby configuration - when for example all bgp traffic 
will be held by node1 - so ISP gateways forward traffic to node1 of my 
cluster, it receives VPN packets for destination and decrypts 
them and so on. So in this setup all traffic will be received by node1. 
If I want to have high availability does the configuration differ from 
the simple one? Will the SA's be synchronized and will failover work 
correctly when only one node receives 100% of the traffic, and also at 
this time no multicast is used (all traffic is received by the node1, 
both nodes have address so it won't forward it also to node2)?

2) in active/active configuration - if I configure my nodes to send 
virtual next-hop address to ISP routers. In this way both nodes will 
receive connection in round robin fashion however, multivast still won't 
be used - will this solution work correctly, will SA's be correctly 
synchronized and so on?

Also for both cases (if they should work at all)  I believe I need to 
make some unusual clusterip rule. So if the address could be reached 
directly from ISP, the clusterip rule would have been like this:
ifconfig vlan50:0 up
iptables -A INPUT -i vlan50 -d -j CLUSTERIP --new 
--total-nodes 2 --local-node 1

but assuming I have this configration I guess I need to change the 
incoming interface to the one, on which packets from ISPs are received 
while the address still belongs to vlan50. For example
ifconfig vlan50:0 up
iptables -A INPUT -i eth0 -d -j CLUSTERIP --new 
--total-nodes 2 --local-node 1
iptables -A INPUT -i eth1 -d -j CLUSTERIP --new 
--total-nodes 2 --local-node 1

Am I right? Won't it cause any problems?
Also, should I anyway patch 3.16 kernel or the needed patch for 
clusterip+strongswan is included in it?

Also, did I understand correctly, strongswan can only use HA mode if 
IKEv2 is used for the tunnel?

Another question, is there a way to have redundant tunnels? So, what do 
i mean - I have two tunnels two different peers, though they link the 
same subnets. Tunnel is built with one peer, however if it becomes 
unavailable another tunnel should automatically be brought up. Is this 
possible using strongswan utilities?

Thanks in advance.

With kind regards,

More information about the Users mailing list