[strongSwan] High availability failover problem

unite unite at openmailbox.org
Mon Mar 9 14:27:28 CET 2015 

Hi guys!

I'm trying to make HA setup work but face some problems during testing 
(both HA nodes - I'll call them local side - run strongswan 5.2.1 
install from wheezy-backports on debian 7.8). I'm using HA in 
active/standby mode. IPs from which the tunnel is initiated are bound to 
virtual VLAN interfaces on both HA nodes. IP which is used by remote 
side to reach the virtual IP on vlan is handled by VRRP and is only on 
the active node. So, the tunnel initiates OK, traffic flows, ipsec 
statusall on standby node shows tunnel state as PASSIVE. However, when I 
test failover (I shut down the VRRP service, which shuts down strongswan 
on formerly active node), traffic won't flow through standby node until 
rekey on child SA is done, either by waiting for it to rekey itself, 
force rekey by issuing echo "*1" > /var/run/charon.ha, echo "*2" > 
/var/run/charon.ha or bringing back up the ipsec service on the primary 
node (which also causes rekey on child sa). After the rekey traffic 
flows OK.

Before the failover, I launch ping from the remote side (which is also 
represented by debian machine with strongswan 5.2.1, IKEv2 is used for 
key exchange) from IP of the leftsubnet to IP of the right subnet, so 
the traffic flow inside the tunnel. Ping flows OK and then stops when I 
intitate failover. However, after failover, I can see packets hitting 
outbound child sa on the remote node, however no packets hit the inbound 
one. Both IKE and child SAs numbers match on the remote and local 
(standby node). On the local standby node I can see that the traffic 
does flow - both inbound and outbound child SAs are hit, and packet 
counters increment simultaneously on remote node outbound child sa and 
local node inbound and outbound SA - so the icmp request is forwarded 
through the tunnel from the remote node, processed by the local one and 
icmp reply is sent back - however, for some reason it does not hit the 
inbound child sa on the remote side.

Could anyone point what's going wrong?

Thanks in advance.

-- 
With kind regards,
Aleksey

More information about the Users mailing list