[strongSwan] Issues with HA configuration

Whisker, Peter peter.whisker at cgi.com
Mon Sep 28 09:42:44 CEST 2015


Noel,

The wiki page https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability states:

"ClusterIP requires the local-node option to be present. While the HA plugin reassigns segment responsibility during daemon startup, it is recommended to use zero, so a node booting up does not process any packets until the HA plugin tells it to do so."

Is there a benefit from not using zero in this case? Does StrongSwan manage the ClusterIP rules for both outer and inner interfaces? Or just for the outer (IPSec) interface?

I have this working on Debian but Centos is still proving problematic.

Thanks
Peter

-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de] 
Sent: 26 September 2015 13:27
To: Whisker, Peter <peter.whisker at cgi.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] Issues with HA configuration


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 25.09.2015 um 16:22 schrieb Whisker, Peter:
> /usr/sbin/iptables -A INPUT -i ens224 -d 10.0.0.2 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:64:20    --total-nodes 2 --local-node 0
You need to use different --local-node settings on each node.

Also, use iptables-save instead of iptables -L.

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWBo8qAAoJEDg5KY9j7GZYWqoP/0MyAfcfNoc/N0ia1sz7a1TH
bUnlBwdBUFqtf0eKQJjkSNjQAUI7eVzwSBN+6w0FXH8ASWGWxaR6wsVRijwv5Yr3
YX2qCuyT9fkEFQqW9SnS15YBc7XETWfd5cJKOKTFSfaafzEOmAcYaoFJ8bQCrrQ5
0Oit7b0jR2umzWbRb6zRUXA72PDcc9OLFnoti3aRRq6yccDFBR522NNprtsEAnD1
IKHkIROT+Hxlhg17noUHkzF1+TjeE4UgJ71miqf47bwlyKy8/keqoTdVgfG5ci8u
52LOZoakaW6fcFha8sgIfQDX4KX2gulQEDnbXTD8VyMmlTKv3Zxclf3oPm9N99pH
TyT1WgdovPO2V3X7D5UpEid72Har/59Ek6yJM04kJqwTYwmf4APpPbJS+TyFzBSd
kafsfbSe1iRi6AiK4j9ovg4ka1A8qmphKQNUFcCqFQprnQvl+ei2uFcKvc92/WuX
alU1LvP3OXJaorrYYMY+VNxlp3v48GsGJTdqQorqa4vbD1JlL483KB8KdDIck6+C
YGcVFiwO6xhRrnoVZYxo0ELTbNrEwFi2g2dZLvG90ko1MxG4504tjaugXQlkdy8+
5kdhJrPNq3MLQit5mCQT6Of1oDl/AyRdDtXybhjplULppsOpgCfKmAUNgQF2zNdP
0FrM0tVIS9HL2wvLkrrn
=XyRb
-----END PGP SIGNATURE-----



More information about the Users mailing list