[strongSwan] Issues with HA configuration
Whisker, Peter
peter.whisker at cgi.com
Mon Sep 28 09:42:44 CEST 2015
Noel,
The wiki page https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability states:
"ClusterIP requires the local-node option to be present. While the HA plugin reassigns segment responsibility during daemon startup, it is recommended to use zero, so a node booting up does not process any packets until the HA plugin tells it to do so."
Is there a benefit from not using zero in this case? Does StrongSwan manage the ClusterIP rules for both outer and inner interfaces? Or just for the outer (IPSec) interface?
I have this working on Debian but Centos is still proving problematic.
Thanks
Peter
-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de]
Sent: 26 September 2015 13:27
To: Whisker, Peter <peter.whisker at cgi.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Issues with HA configuration
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Am 25.09.2015 um 16:22 schrieb Whisker, Peter:
> /usr/sbin/iptables -A INPUT -i ens224 -d 10.0.0.2 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:64:20 --total-nodes 2 --local-node 0
You need to use different --local-node settings on each node.
Also, use iptables-save instead of iptables -L.
- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWBo8qAAoJEDg5KY9j7GZYWqoP/0MyAfcfNoc/N0ia1sz7a1TH
bUnlBwdBUFqtf0eKQJjkSNjQAUI7eVzwSBN+6w0FXH8ASWGWxaR6wsVRijwv5Yr3
YX2qCuyT9fkEFQqW9SnS15YBc7XETWfd5cJKOKTFSfaafzEOmAcYaoFJ8bQCrrQ5
0Oit7b0jR2umzWbRb6zRUXA72PDcc9OLFnoti3aRRq6yccDFBR522NNprtsEAnD1
IKHkIROT+Hxlhg17noUHkzF1+TjeE4UgJ71miqf47bwlyKy8/keqoTdVgfG5ci8u
52LOZoakaW6fcFha8sgIfQDX4KX2gulQEDnbXTD8VyMmlTKv3Zxclf3oPm9N99pH
TyT1WgdovPO2V3X7D5UpEid72Har/59Ek6yJM04kJqwTYwmf4APpPbJS+TyFzBSd
kafsfbSe1iRi6AiK4j9ovg4ka1A8qmphKQNUFcCqFQprnQvl+ei2uFcKvc92/WuX
alU1LvP3OXJaorrYYMY+VNxlp3v48GsGJTdqQorqa4vbD1JlL483KB8KdDIck6+C
YGcVFiwO6xhRrnoVZYxo0ELTbNrEwFi2g2dZLvG90ko1MxG4504tjaugXQlkdy8+
5kdhJrPNq3MLQit5mCQT6Of1oDl/AyRdDtXybhjplULppsOpgCfKmAUNgQF2zNdP
0FrM0tVIS9HL2wvLkrrn
=XyRb
-----END PGP SIGNATURE-----
More information about the Users
mailing list