[strongSwan] High availability configuration

unite unite at openmailbox.org
Mon Feb 23 08:43:42 CET 2015

On 2015-02-22 15:29, Noel Kuntze wrote:
> Hash: SHA256
> Hello Michael,
> I know that.
> However, even with statically setting the MAC address to the ports the
> hosts are on,
> it did not forward the ethernet frames to those ports.
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 22.02.2015 um 14:08 schrieb Michael Schwartzkopff:
>> No. They started to handle it correctly. According to the specs a 
>> switch
>> SHOULD NOT learn a multicast MAC adress that belongs to a unicast IP 
>> adress.
>> Cisco always implemented it, but no other manufacturer. It seems that 
>> juniper
>> started to implement it.
>> If you want to set up such a config, you have to configure the correct 
>> MAC
>> address in the switches in the ports. Atherwise you could have loops 
>> and you
>> will see much traffic.
> Version: GnuPG v2
> iQIcBAEBCAAGBQJU6dmwAAoJEDg5KY9j7GZYk5gP/1VnLwOK193Xi/zTIjbemDjl
> 0VKxxILtRT89AQP0gfcUouzRg4doO2u28J7tSn4JmMe34KZEjby+k/IxhZ1/uLPk
> gAhBCqN3GpV2qGSYpFZBjg8DVjRv0o7eNuqplDQt4nq3De0JmZdU1LYyQFfOz2x9
> 9jaWIf9qs/4VpdcVAK5OyYt/qME+4OCRwxP7x8Vw/OeoyTINfhoxcREs/i5d5Ksx
> QzcJ0KbQhwafWrIuDjra9n//S0ZXttNEdzAt+msfB+XnBey1Ix7LNbg2LdVJJeV5
> B2cjv01zJt7YS7Eo6vZfKfCupQfZS6vIxjZpaGM4SSs2LXdFveJvaxsNkDdMY+Sp
> X/veENJg2SGVM/O7HKH/7m43cH7c9k8OVU8LsO4mHo6W5HlilpgtPCkQkUgVjc3I
> N4TJvL+JcVKZccYjdOnh5regTEA6I8qGFoxD5XIgfCJmvvY1884BmzQe8SPEAADE
> ff1LcpGbb2u8SmipDC/hPvlb2H0yBDJiXwHyE68O3ans1hwsdGf4qmc0DkesZMh4
> yHCDVlvnoigEKvUnfu1kIGEdFwoVIUw2FYChmLQ+sHQIAy7R5M6aAk+dqXo3PcKE
> /R3dbEPukBhcPGD1pgKWR1ugQToDgBnzpGzKYu3d615q3KEXk1sO1tNaBMhZHw3B
> v4/7/59cnI/TC2E5wmr0
> =83xv
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Hi guys!

I am using HP ProCurve switches - I've done quite a little testing, 
however it seems that it does work, at least I correctly receive 
multicast traffic on both nodes.

Could you advise something on this my letter:

So... If I use the active/passive config without using multicast 
address, should my tunnel source address and addresses on vpn-linked 
subnets be present on currently passive node? Or i can maintain this 
addresses using, for example, vrrp, so they are only on the active node 
and are got up on the passive only in the case of failure?

In active/active config, I've written two clusterip rules because I'm 
not sure how to make it running correctly:
so, eth0 - points to the ISP1 ( subnet), eth1 - points to 
the ISP2 ( subnet, and tunnel source IP resides on the 
vlan interface - for example vlan50:0 (, subnet for vlan50 is I'm just quite new to iptables clusterip module. Is the 
input interface stated in iptables rule somehow strictly bound to subnet 
on this interface? Or it can be safely ignored and the rule can be 
written completely without input interface statement - just using 
destination IP and making it clusterip? Or should I create clusterip 
using vlan50 input interface on which the corresponding subnet resides?

And also, assuming that routing is implemented using bgp,  can I setup 
cluster IP's only on external interfaces in ISP-pointing networks, and  
just create interface alias for tunnel source on vlan interface? I guess 
my explanations are quite unclear, so I'll try to explain in little bit 
more detail (I'll use only one isp in example).

Remote-Host( ISP-Gateway(

ISP gateway is in the same subnet as two my nodes:

NODE1 eth0( ( ------------ 
NODE2 eth0(

Cluster IP for my two nodes will be using clusterip (so 
traffic should be received by both nodes using multicast). Both node 1 
and 2 have the ip which is tunnel source for all of my tunnels 
set just as an alias interface without using cluster ip (Or it also 
should be clusterip?). So for example if we trace packet from the host to my address on the ISP-Gateway to MY-Cluster 
stage, the packet will hit the clusterip mac (01:00:5e:11:22:33) on 
NODE1 interface eth0:0 with the destination of (having source 
ip of and source mac as ISP-Gateway interface). It will 
be processed then by interface vlan50:0 ( whcih has tunnel 
source IP and be further decrypted and passed through. At the same time 
node2 should receive the same traffic with multicast but it shouldn't 
process it. If another remote host initiates the second tunnel from ip the process should be the same but traffic processing 
would be held by node2. Am I right? Would such sa scheme work as 

Still, do I need to patch the 3.16 kernel to use HA plugin? I tried 
setting up the HA without patching the kernel and failed. As I've said 
I've installed strongswan 5.2.1 from wheezy-backports. Is the repository 
version of strongswan built with ha plugin or I should rebuild it 
manually enabling ha-plugin? Also, it is very possible that I do have 
some configuration issues (I configured it using how-to's and 
active\active configuration examples). I'll provide my config files 
tomorrow so probably someone could point me to the source of the 

Thanks for your help. If something is still unclear tell me and I'll try 
to explain in more detail.

With kind regards,

More information about the Users mailing list