[strongSwan] Strongswan HA behavior

Nathan Hüsken nathan at wintercloud.de
Fri Aug 3 16:55:27 CEST 2018 

Hi,

I am currently trying around with getting strongswan HA to work on exoscale. Exoscale has no ClusterIP, but a so called "elastic ip" which I can move freely among my instances. I came up with a "proof of concept" on how this could work.
But I am unsure if my assumption about how strongswan HA really works are correct, so it would be very nicht of someone could enlighten or confirm me.

I have 2 strongswan instances (vpn1 & vpn2) in ha

* righsourceip is set to a common ha address pool
* I configured them to have 1 segment

I wrote a script that watches the output of "journactrl -u strongswan -f" for certain messages and manages the elastic ip.
The Idea is, that the ip is always assigned to the strongswan instance holding the segment.

The script notice that  vpn1 takes all segments. So it sets the elastic ip to vpn1.

I establish the connection from my local computer and ping a machine in the private network of  the vpn, it works.
On the instances vpn1 & vpn2 I can see the connection with "strongswan statusall"
* vpn1: ESTALISHED
* vpn2: PASSIVE

Now I test the failover:
1. I down all network interfaces of of vpn1
2. I shutdown vpn1
3. The script notices it and switches the elastic ip over to vpn2

Looking at "strongswan statusall" I see that the connection switches to "ESTABLISHED" on vpn2 immediately.
It takes about 60 seconds, than the ping starts to work again.

* Is this in principal the correct idea? Should strongswan work with this or am I doing something that will fail? Is it ok, that vpn2 does not get any traffic (as long as vpn1 is alive)?
* Is it normal, that it takes 60 seconds for the connection to resume, or should this be faster?
* Is there some better way I could watch which strongswan instance is holding the segment?
* Is there anyway I could dictate strongswan on which instance to hold the segment?

Thank you very much!
Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180803/77cee110/attachment.html>

More information about the Users mailing list