[strongSwan] High availability configuration
unite
unite at openmailbox.org
Mon Feb 23 15:21:55 CET 2015
On 2015-02-23 09:43, unite wrote:
> On 2015-02-22 15:29, Noel Kuntze wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Michael,
>>
>> I know that.
>> However, even with statically setting the MAC address to the ports the
>> hosts are on,
>> it did not forward the ethernet frames to those ports.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 22.02.2015 um 14:08 schrieb Michael Schwartzkopff:
>>> No. They started to handle it correctly. According to the specs a
>>> switch
>>> SHOULD NOT learn a multicast MAC adress that belongs to a unicast IP
>>> adress.
>>> Cisco always implemented it, but no other manufacturer. It seems that
>>> juniper
>>> started to implement it.
>>>
>>> If you want to set up such a config, you have to configure the
>>> correct MAC
>>> address in the switches in the ports. Atherwise you could have loops
>>> and you
>>> will see much traffic.
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJU6dmwAAoJEDg5KY9j7GZYk5gP/1VnLwOK193Xi/zTIjbemDjl
>> 0VKxxILtRT89AQP0gfcUouzRg4doO2u28J7tSn4JmMe34KZEjby+k/IxhZ1/uLPk
>> gAhBCqN3GpV2qGSYpFZBjg8DVjRv0o7eNuqplDQt4nq3De0JmZdU1LYyQFfOz2x9
>> 9jaWIf9qs/4VpdcVAK5OyYt/qME+4OCRwxP7x8Vw/OeoyTINfhoxcREs/i5d5Ksx
>> QzcJ0KbQhwafWrIuDjra9n//S0ZXttNEdzAt+msfB+XnBey1Ix7LNbg2LdVJJeV5
>> B2cjv01zJt7YS7Eo6vZfKfCupQfZS6vIxjZpaGM4SSs2LXdFveJvaxsNkDdMY+Sp
>> X/veENJg2SGVM/O7HKH/7m43cH7c9k8OVU8LsO4mHo6W5HlilpgtPCkQkUgVjc3I
>> N4TJvL+JcVKZccYjdOnh5regTEA6I8qGFoxD5XIgfCJmvvY1884BmzQe8SPEAADE
>> ff1LcpGbb2u8SmipDC/hPvlb2H0yBDJiXwHyE68O3ans1hwsdGf4qmc0DkesZMh4
>> yHCDVlvnoigEKvUnfu1kIGEdFwoVIUw2FYChmLQ+sHQIAy7R5M6aAk+dqXo3PcKE
>> /R3dbEPukBhcPGD1pgKWR1ugQToDgBnzpGzKYu3d615q3KEXk1sO1tNaBMhZHw3B
>> v4/7/59cnI/TC2E5wmr0
>> =83xv
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> Hi guys!
>
> I am using HP ProCurve switches - I've done quite a little testing,
> however it seems that it does work, at least I correctly receive
> multicast traffic on both nodes.
>
> Could you advise something on this my letter:
>
>
> So... If I use the active/passive config without using multicast
> address, should my tunnel source address and addresses on vpn-linked
> subnets be present on currently passive node? Or i can maintain this
> addresses using, for example, vrrp, so they are only on the active
> node and are got up on the passive only in the case of failure?
>
> In active/active config, I've written two clusterip rules because I'm
> not sure how to make it running correctly:
> so, eth0 - points to the ISP1 (192.168.1.0/24 subnet), eth1 - points
> to the ISP2 (192.168.2.0/24) subnet, and tunnel source IP resides on
> the vlan interface - for example vlan50:0 (1.1.1.50), subnet for
> vlan50 is 1.1.1.0/24. I'm just quite new to iptables clusterip module.
> Is the input interface stated in iptables rule somehow strictly bound
> to subnet on this interface? Or it can be safely ignored and the rule
> can be written completely without input interface statement - just
> using destination IP and making it clusterip? Or should I create
> clusterip using vlan50 input interface on which the corresponding
> subnet resides?
>
> And also, assuming that routing is implemented using bgp, can I setup
> cluster IP's only on external interfaces in ISP-pointing networks, and
> just create interface alias for tunnel source on vlan interface? I
> guess my explanations are quite unclear, so I'll try to explain in
> little bit more detail (I'll use only one isp in example).
>
> So:
> Remote-Host(100.100.100.100)-----Internet--- ISP-Gateway(192.168.1.1)
>
> ISP gateway is in the same subnet as two my nodes:
>
>
> NODE1 eth0(192.168.1.3)--------ISP-Gateway (192.168.1.1) ------------
> NODE2 eth0(192.168.1.4)
>
> Cluster IP for my two nodes will be 192.168.1.2 using clusterip (so
> traffic should be received by both nodes using multicast). Both node 1
> and 2 have the ip 1.1.1.50 which is tunnel source for all of my
> tunnels set just as an alias interface without using cluster ip (Or it
> also should be clusterip?). So for example if we trace packet from the
> host 100.100.100.100 to my 1.1.1.50 address on the ISP-Gateway to
> MY-Cluster stage, the packet will hit the clusterip mac
> (01:00:5e:11:22:33) on NODE1 interface eth0:0 with the destination of
> 1.1.1.50 (having source ip of 100.100.100.100 and source mac as
> ISP-Gateway interface). It will be processed then by interface
> vlan50:0 (1.1.1.50) whcih has tunnel source IP and be further
> decrypted and passed through. At the same time node2 should receive
> the same traffic with multicast but it shouldn't process it. If
> another remote host initiates the second tunnel from 200.200.200.200
> ip the process should be the same but traffic processing would be held
> by node2. Am I right? Would such sa scheme work as expected?
>
> Still, do I need to patch the 3.16 kernel to use HA plugin? I tried
> setting up the HA without patching the kernel and failed. As I've said
> I've installed strongswan 5.2.1 from wheezy-backports. Is the
> repository version of strongswan built with ha plugin or I should
> rebuild it manually enabling ha-plugin? Also, it is very possible that
> I do have some configuration issues (I configured it using how-to's
> and active\active configuration examples). I'll provide my config
> files tomorrow so probably someone could point me to the source of the
> problem.
>
> Thanks for your help. If something is still unclear tell me and I'll
> try to explain in more detail.
So, i still can't get HA plugin working. It doesn't seem to appear in
the list of loaded plugins and it doesn't synchronize SA state between
the nodes. I haven't patched my kernel for clusterip as written in HA
configuration guide, so I'm now trying to test active/passive
configuration. I have also installed extra plugins but still no use.
Strongswan i use is 5.2.1 from wheezy-backports debian repository.
so the output of "ipsec statusall" is:
ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux
3.16.0-0.bpo.4-amd64, x86_64):
uptime: 72 minutes, since Feb 23 15:00:24 2015
malloc: sbrk 675840, mmap 0, used 515280, free 160560
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 12
loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac
hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke
updown
/etc/strongswan.conf on Node1:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
ha {
local = 10.1.64.87
remote = 10.1.64.21
segment_count = 2
fifo_interface = yes
monitor = yes
resync = yes
load = yes
}
}
}
include strongswan.d/*.conf
/etc/strongswan.conf on Node2:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
ha {
local = 10.1.64.21
remote = 10.1.64.87
segment_count = 2
fifo_interface = yes
monitor = yes
resync = yes
load = yes
}
}
}
include strongswan.d/*.conf
Here is output in /var/log/syslog after "service ipsec restart":
Feb 23 16:15:08 deb-suri charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64)
Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Feb 23 16:15:09 deb-suri charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Feb 23 16:15:09 deb-suri charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Feb 23 16:15:09 deb-suri charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Feb 23 16:15:09 deb-suri charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Feb 23 16:15:09 deb-suri charon: 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Feb 23 16:15:09 deb-suri charon: 00[CFG] loaded IKE secret for
10.1.64.87 10.1.64.21
Feb 23 16:15:09 deb-suri charon: 00[CFG] loaded IKE secret for
10.1.64.53 10.1.234.100
Feb 23 16:15:09 deb-suri charon: 00[CFG] loaded IKE secret for
172.16.28.1 10.1.234.100
Feb 23 16:15:09 deb-suri charon: 00[LIB] loaded plugins: charon
test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default stroke updown
Feb 23 16:15:09 deb-suri charon: 00[LIB] unable to load 3 plugin
features (3 due to unmet dependencies)
Feb 23 16:15:09 deb-suri charon: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Feb 23 16:15:09 deb-suri charon: 00[JOB] spawning 16 worker threads
Feb 23 16:15:09 deb-suri charon: 06[CFG] received stroke: add connection
'TESTCISCO'
Follwed by tunnel initiations.
Can anyone point me what's wrong in my setup? I can see "unable to load
3 plugin features" however how can I derive which are those plugins (so
if HA is one of them) and which dependencies are unmet?
Thanks in advance.
--
With kind regards,
Aleksey
More information about the Users
mailing list