[strongSwan] Problem with active-active cluster and traffic handling
Jean-Daniel Dupas
jddupas at xooloo.com
Thu Jul 12 16:36:21 CEST 2018
> Le 12 juil. 2018 à 15:43, Jean-Daniel Dupas <jddupas at xooloo.com> a écrit :
>
> Hello,
>
> I'm trying to setup an active-active HA cluster. Actually, I'm close to have a full working setup, but I have a blocking issue.
>
> I have installed a custom kernel (4.15.x family), and setup the CLUSTERIP as described in the HA guide ( https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability )
>
> Both my nodes receive the traffic, and they properly managed the cluster IP to handle only half of the packets.
> When I'm establishing a session, only one node handle it (as expected), and the other one setup a passive IKE_SA.
>
> My problem is that once the session is up, sometimes, this is the passive node (for that session) that takes over the IPSec traffic and the active node completely ignore it.
> If I sniff the incoming traffic (tcpdump), the decrypted traffic is only detected on the node that setup a passive IKE_SA, and not on the node with the active IKE_SA.
>
> To make it clear, telling I have 2 servers: Alice and Moon. The IKE session is established on moon, and a passive session is created on Alice, but then the decrypted traffic only show up on Alice.
> As Alice is a passive node and don't have iptables entry and routes created to handle that traffic, it rejects it (as expected).
>
> Does anyone know what can cause that inconsistency ?
>
> My iptable rules look like this:
>
> -A INPUT -i enp1s1 -d 1.2.3.4 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 0
>
> I don't think this is relevant, but I'm using strongswan systemd 5.6.2 (swanctl) on Ubuntu 18.04.
>
> Thanks
I found an hint in the swanctl logs:
07[CFG] installed HA CHILD_SA net{3} 0.0.0.0/0 ::/0 === 10.192.3.3/32 (segment in: 2*, out: 1)
strongswan explicitly choose different segments for input and output. The segment where the connection was established here is the segment 1.
As it defines segment 2 for input traffic, it obviously does not works. Is there some settings to force strongswan to always use the segment who own the connection for input and output traffic ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180712/4b8f7fba/attachment.html>
More information about the Users
mailing list