[strongSwan] Problem with active-active cluster and traffic handling
Tobias Brunner
tobias at strongswan.org
Fri Jul 20 10:30:47 CEST 2018
Hi Jean-Daniel,
> I found an hint in the swanctl logs:
>
> 07[CFG] installed HA CHILD_SA net{3} 0.0.0.0/0 ::/0 === 10.192.3.3/32
> (segment in: 2*, out: 1)
>
> strongswan explicitly choose different segments for input and output.
> The segment where the connection was established here is the segment 1.
>
> As it defines segment 2 for input traffic, it obviously does not works.
Why shouldn't that work? The same thing happened in our regression
testing framework [1]. Since the hashes for ESP traffic include the
SA's SPI and destination address the SAs might be handled by different
nodes in the active-active scenario (for IKE traffic only the client's
IP is hashed), refer to [2] for some background.
Regards,
Tobias
[1]
https://www.strongswan.org/testing/testresults/ha/both-active/moon.daemon.log
[2] https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
More information about the Users
mailing list