[strongSwan] High availability configuration

Michael Schwartzkopff ms at sys4.de
Sun Feb 22 14:08:16 CET 2015


Am Sonntag, 22. Februar 2015, 14:57:13 schrieb unite:
> On 2015-02-21 20:52, Noel Kuntze wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > 
> > Hello Aleksey,
> > 
> > Currently, strongSwan only supports high-availability in an
> > active-active cluster.
> > However, you can abuse it and make it active-passive by simply not
> > using
> > a multicast mac address and configuration on the the CLUSTERIP rule on
> > the
> > devices. That way, the SAs will be synchronized, but traffic will only
> > be forwarded to
> > one member of the cluster. Failover of the IP needs to be done by a
> > cluster executive.
> > Propagating the new MAC address of the IP needs to be done either by
> > the kernel
> > or the cluster executive. After the IP is assigned to the former
> > passive and now active
> > member, it will process the traffic.
> > 
> > In an active-active configuration, the multicast mac address would
> > ensure that the traffic traffic is
> > always received by both nodes. A hash function over the layer three
> > address would decide which host
> > processes it. However, be aware that I had problems with multicast mac
> > addresses with some newer Juniper switches.
> > They do not seem to handle those addresses and forwarding the traffic
> > correctly.

No. They started to handle it correctly. According to the specs a switch 
SHOULD NOT learn a multicast MAC adress that belongs to a unicast IP adress. 
Cisco always implemented it, but no other manufacturer. It seems that juniper 
started to implement it.

If you want to set up such a config, you have to configure the correct MAC 
address in the switches in the ports. Atherwise you could have loops and you 
will see much traffic.



(...)

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150222/00b9d63f/attachment.pgp>


More information about the Users mailing list