[strongSwan] High availability configuration

Noel Kuntze noel at familie-kuntze.de
Mon Feb 23 21:37:29 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Aleksey,

Check if you have the ha module by looking at the contents of the /usr/lib/ipsec/plugins/ directory.
A file called "libstrongswan-ha.so" must be there to be able to support HA.

It looks like your installation either does not have it, or it is disabled because of settings in /etc/strongswan.d/.


The tunnel source address and the addresses on the vpn-linked subnet should always be on the active node.
You need to maintain the addresses using vrrp or other mechanisms.
I am somewhat confused by your many interfaces. Of course you can have the IP on any interface you want and use
dynamic routing protocols to. You only need to give the CLUSTERIP rule the IP you want to loadbalance on.

You can attach an unlimited number of IPs to an interface. iproute2 can do that. ifconfig can't, because it's
ancient.

I do not know if the clusterip rule needs an interface. It is plausible, that it needs one, as the IP
and the multicast mac need to be bound to an interface.

I think the kernel patches are in newer default kernels, but I might be wrong here.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.02.2015 um 15:21 schrieb unite:
> So, i still can't get HA plugin working. It doesn't seem to appear in the list of loaded plugins and it doesn't synchronize SA state between the nodes. I haven't patched my kernel for clusterip as written in HA configuration guide, so I'm now trying to test active/passive configuration. I have also installed extra plugins but still no use. Strongswan i use is 5.2.1 from wheezy-backports debian repository.
>
> so the output of "ipsec statusall" is:
>
> ipsec statusall
> Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64):
>   uptime: 72 minutes, since Feb 23 15:00:24 2015
>   malloc: sbrk 675840, mmap 0, used 515280, free 160560
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12
>   loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke updown
>
> /etc/strongswan.conf on Node1:
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>                 ha {
>                 local = 10.1.64.87
>                 remote = 10.1.64.21
>                 segment_count = 2
>                 fifo_interface = yes
>                 monitor = yes
>                 resync = yes
>                 load = yes
>                 }
>         }
> }
>
> include strongswan.d/*.conf
>
> /etc/strongswan.conf on Node2:
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>                 ha {
>                 local = 10.1.64.21
>                 remote = 10.1.64.87
>                 segment_count = 2
>                 fifo_interface = yes
>                 monitor = yes
>                 resync = yes
>                 load = yes
>                 }
>
>         }
> }
>
> include strongswan.d/*.conf
>
> Here is output in /var/log/syslog after "service ipsec restart":
>
> Feb 23 16:15:08 deb-suri charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64)
> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Feb 23 16:15:09 deb-suri charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
> Feb 23 16:15:09 deb-suri charon: 00[CFG]   loaded IKE secret for 10.1.64.87 10.1.64.21
> Feb 23 16:15:09 deb-suri charon: 00[CFG]   loaded IKE secret for 10.1.64.53 10.1.234.100
> Feb 23 16:15:09 deb-suri charon: 00[CFG]   loaded IKE secret for 172.16.28.1 10.1.234.100
> Feb 23 16:15:09 deb-suri charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke updown
> Feb 23 16:15:09 deb-suri charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
> Feb 23 16:15:09 deb-suri charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Feb 23 16:15:09 deb-suri charon: 00[JOB] spawning 16 worker threads
> Feb 23 16:15:09 deb-suri charon: 06[CFG] received stroke: add connection 'TESTCISCO'
>
> Follwed by tunnel initiations.
>
> Can anyone point me what's wrong in my setup? I can see "unable to load 3 plugin features" however how can I derive which are those plugins (so if HA is one of them) and which dependencies are unmet?
>
> Thanks in advance.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU64+JAAoJEDg5KY9j7GZYvf8QAJR5vKDL7cmI5u2Ewq0U4uqw
o9ZnrMaQDhzSrVQJqIZ8l8rVcOrdALL4ndKitJtioPtpSzRg1Hlng4fD9n6H5CDx
N1xQR8TVVAsGCe0ti6Oi3wh3yuZdIASBrM1iWH1eTwlqhrh/PfR2yy9TDTnHYtAP
GaC+WgSqe9CFV7fHqCWfGkBqCJscyWX8kq70aNZ3r8MRjoODfoSjl/wkZSK6jTCr
WL0MNppHovHF/tRFzpHjIgZdwGMe1pl+4KJ0B17U7l/VkOg9B1xwWMWCkM5TXOVL
yQmCbu329V5rbMxmc+pQn/0iFjIFwe4wUat0uF3SrbMuU1sT57ndDDPY1laGBlWl
Q0GDCY/WTV1WO7MolJtIvVkaZHkWdErtK51rwvDrxLcgnVo/+2FW2Vgh9fwOSbqe
UJja2h5ol64PhV/tIfNeVPDcQyzUP1Ucap/EkJYKjt6PHBp8sfj5sv/ApAZ63h3+
C93hs1tz9jD17fbOv/uYUj8PdXHcpMkTH7Nk26V9l7U7dQE0RBoqU4v8ujUzjQvg
fKVEdbp8HoEG9MI0Qm2I9kqAs/W0T7WwjXvo5vEY7kWI7lDioHsIKhaGq/qEP28z
HSV0AWpEHYYZUoWZOV07V2vKt9EGbEzGQwSfvg2uoPwmrWcxZvaO4YRZP9enwweg
N4iR0jPYmvfNC07kpqAh
=g/iV
-----END PGP SIGNATURE-----




More information about the Users mailing list