[strongSwan] High availability configuration

Thu Feb 26 11:43:30 CET 2015

On 2015-02-23 22:37, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Aleksey,
> 
> Check if you have the ha module by looking at the contents of the
> /usr/lib/ipsec/plugins/ directory.
> A file called "libstrongswan-ha.so" must be there to be able to support 
> HA.
> 
> It looks like your installation either does not have it, or it is
> disabled because of settings in /etc/strongswan.d/.
> 
> 
> The tunnel source address and the addresses on the vpn-linked subnet
> should always be on the active node.
> You need to maintain the addresses using vrrp or other mechanisms.
> I am somewhat confused by your many interfaces. Of course you can have
> the IP on any interface you want and use
> dynamic routing protocols to. You only need to give the CLUSTERIP rule
> the IP you want to loadbalance on.
> 
> You can attach an unlimited number of IPs to an interface. iproute2
> can do that. ifconfig can't, because it's
> ancient.
> 
> I do not know if the clusterip rule needs an interface. It is
> plausible, that it needs one, as the IP
> and the multicast mac need to be bound to an interface.
> 
> I think the kernel patches are in newer default kernels, but I might
> be wrong here.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 23.02.2015 um 15:21 schrieb unite:
>> So, i still can't get HA plugin working. It doesn't seem to appear in 
>> the list of loaded plugins and it doesn't synchronize SA state between 
>> the nodes. I haven't patched my kernel for clusterip as written in HA 
>> configuration guide, so I'm now trying to test active/passive 
>> configuration. I have also installed extra plugins but still no use. 
>> Strongswan i use is 5.2.1 from wheezy-backports debian repository.
>> 
>> so the output of "ipsec statusall" is:
>> 
>> ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.2.1, Linux 
>> 3.16.0-0.bpo.4-amd64, x86_64):
>>   uptime: 72 minutes, since Feb 23 15:00:24 2015
>>   malloc: sbrk 675840, mmap 0, used 515280, free 160560
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
>> scheduled: 12
>>   loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 
>> md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
>> pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent 
>> xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve 
>> socket-default stroke updown
>> 
>> /etc/strongswan.conf on Node1:
>> 
>> charon {
>>         load_modular = yes
>>         plugins {
>>                 include strongswan.d/charon/*.conf
>>                 ha {
>>                 local = 10.1.64.87
>>                 remote = 10.1.64.21
>>                 segment_count = 2
>>                 fifo_interface = yes
>>                 monitor = yes
>>                 resync = yes
>>                 load = yes
>>                 }
>>         }
>> }
>> 
>> include strongswan.d/*.conf
>> 
>> /etc/strongswan.conf on Node2:
>> 
>> charon {
>>         load_modular = yes
>>         plugins {
>>                 include strongswan.d/charon/*.conf
>>                 ha {
>>                 local = 10.1.64.21
>>                 remote = 10.1.64.87
>>                 segment_count = 2
>>                 fifo_interface = yes
>>                 monitor = yes
>>                 resync = yes
>>                 load = yes
>>                 }
>> 
>>         }
>> }
>> 
>> include strongswan.d/*.conf
>> 
>> Here is output in /var/log/syslog after "service ipsec restart":
>> 
>> Feb 23 16:15:08 deb-suri charon: 00[DMN] Starting IKE charon daemon 
>> (strongSwan 5.2.1, Linux 3.16.0-0.bpo.4-amd64, x86_64)
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ca certificates from 
>> '/etc/ipsec.d/cacerts'
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading aa certificates from 
>> '/etc/ipsec.d/aacerts'
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading ocsp signer 
>> certificates from '/etc/ipsec.d/ocspcerts'
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading attribute 
>> certificates from '/etc/ipsec.d/acerts'
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading crls from 
>> '/etc/ipsec.d/crls'
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] loading secrets from 
>> '/etc/ipsec.secrets'
>> Feb 23 16:15:09 deb-suri charon: 00[CFG] expanding file expression 
>> '/var/lib/strongswan/ipsec.secrets.inc' failed
>> Feb 23 16:15:09 deb-suri charon: 00[CFG]   loaded IKE secret for 
>> 10.1.64.87 10.1.64.21
>> Feb 23 16:15:09 deb-suri charon: 00[CFG]   loaded IKE secret for 
>> 10.1.64.53 10.1.234.100
>> Feb 23 16:15:09 deb-suri charon: 00[CFG]   loaded IKE secret for 
>> 172.16.28.1 10.1.234.100
>> Feb 23 16:15:09 deb-suri charon: 00[LIB] loaded plugins: charon 
>> test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
>> sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr 
>> ccm gcm curl attr kernel-netlink resolve socket-default stroke updown
>> Feb 23 16:15:09 deb-suri charon: 00[LIB] unable to load 3 plugin 
>> features (3 due to unmet dependencies)
>> Feb 23 16:15:09 deb-suri charon: 00[LIB] dropped capabilities, running 
>> as uid 0, gid 0
>> Feb 23 16:15:09 deb-suri charon: 00[JOB] spawning 16 worker threads
>> Feb 23 16:15:09 deb-suri charon: 06[CFG] received stroke: add 
>> connection 'TESTCISCO'
>> 
>> Follwed by tunnel initiations.
>> 
>> Can anyone point me what's wrong in my setup? I can see "unable to 
>> load 3 plugin features" however how can I derive which are those 
>> plugins (so if HA is one of them) and which dependencies are unmet?
>> 
>> Thanks in advance.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJU64+JAAoJEDg5KY9j7GZYvf8QAJR5vKDL7cmI5u2Ewq0U4uqw
> o9ZnrMaQDhzSrVQJqIZ8l8rVcOrdALL4ndKitJtioPtpSzRg1Hlng4fD9n6H5CDx
> N1xQR8TVVAsGCe0ti6Oi3wh3yuZdIASBrM1iWH1eTwlqhrh/PfR2yy9TDTnHYtAP
> GaC+WgSqe9CFV7fHqCWfGkBqCJscyWX8kq70aNZ3r8MRjoODfoSjl/wkZSK6jTCr
> WL0MNppHovHF/tRFzpHjIgZdwGMe1pl+4KJ0B17U7l/VkOg9B1xwWMWCkM5TXOVL
> yQmCbu329V5rbMxmc+pQn/0iFjIFwe4wUat0uF3SrbMuU1sT57ndDDPY1laGBlWl
> Q0GDCY/WTV1WO7MolJtIvVkaZHkWdErtK51rwvDrxLcgnVo/+2FW2Vgh9fwOSbqe
> UJja2h5ol64PhV/tIfNeVPDcQyzUP1Ucap/EkJYKjt6PHBp8sfj5sv/ApAZ63h3+
> C93hs1tz9jD17fbOv/uYUj8PdXHcpMkTH7Nk26V9l7U7dQE0RBoqU4v8ujUzjQvg
> fKVEdbp8HoEG9MI0Qm2I9kqAs/W0T7WwjXvo5vEY7kWI7lDioHsIKhaGq/qEP28z
> HSV0AWpEHYYZUoWZOV07V2vKt9EGbEzGQwSfvg2uoPwmrWcxZvaO4YRZP9enwweg
> N4iR0jPYmvfNC07kpqAh
> =g/iV
> -----END PGP SIGNATURE-----
Hi Noel!

I've found out how to start HA plugin - I also needed to install 
libcharon-extra-plugins package. I've got it running and it seems to 
work fine in Active/Passive mode except for the fact that i couldn't 
test failover correctly - I'm using ancient cisco 2600 in my lab (don't 
have anything else at the moment - will try to find another debian 
machine to test using strongswan) which supports only ikev1 and probably 
has some other drawbacks - so, when failover occurs, strongswan 
correctly changes SA state on the backup node from PASSIVE to 
ESTABLISHED - still traffic won't flow through the tunnel. At that 
moment I can see 3 ike SAs on cisco, so I guess when failover occurs 
something goes wrong inside it. When I do "clear crypto isakmp sa" on 
this cisco traffic instantly begins to flow through the tunnel. I'll 
check the behaviour with another debian machine using ikev1 and ikev2 
and let you know.

I've made a picture regarding my interfaces. I've attached it to me mail 
and also uploaded it to fileshare:
https://www.dropbox.com/s/00of6fd48fu3n6l/strongswan_dia.png?dl=0

Probably it would be more clear on it. So the tunnel is built between 
172.16.123.0 and 10.10.10.0, using the source IP 1.1.1.50 and 
destination of 3.3.3.3. Practically, in this configuration no one wil 
ask for ARP of 1.1.1.50 (except for those residing in vlan50 - but we 
don't care about them) - ISP1 and ISP2 routers, trying to reach any 
address in 1.1.1.0/24 subnet, will forward packets to 192.168.0.2 and 
192.168.1.2 respectively, using multicast MAC-addresses of them. So the 
original question was - do I anyway need to configure clusterip on 
1.1.1.50, even if no one will ask for it's arp and traffic destined for 
it would be recieved on 192.168.0.2 and 192.168.1.2 clusterips on 
external interfaces? I guess kernel patching is still needed (if the 
patch is not included in newer kernels) for ipsec packets not to be 
balanced by clusterip, even if them are received not on the tunnel 
source interface.

Also I guess having conntrackd running is critical in such setup, 
because packets which went out for example through NODE1 (via clusetrip 
172.16.123.1) might come back thorugh NODE2 (via clusetrip 192.168.0.2) 
so they might get dropped because NODE2 won't know anything about the 
established session.

If to talk about active/passive mode, if I don't use clusterip at all - 
so let's assume vrrp is used on external/internal interfaces to assign 
the cluster IPs of 192.168.0.1,192.168.1.1 and 172.16.123.1, is it 
enough just to bind tunnel source 1.1.1.50 as aliases on vlan50 
interface on both nodes or do I still need to configure clusterip on it?

Thanks.

-- 
With kind regards,
Aleksey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan_dia.png
Type: image/png
Size: 60501 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150226/31a5fcf7/attachment-0001.png>