[strongSwan] DNS LoadBalancing and Failover

Markus P. Beckhaus markus at beckhaus.com
Sun Sep 16 13:23:10 CEST 2018


Hi Michael,

thanks for your fast reply. The background of my question is to implement failover with strongswan standard mechanisms wherever possible.

In fact I do have *swan implementations in the field with wrappers for load distribution and failover, but I'd rather get rid of as much individual code as I can.

Best Regards

Markus 



Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" <users-bounces at lists.strongswan.org im Auftrag von ms at sys4.de>:

    _____________________________________________________________________
    
    Sicherheitsprüfung  /  2018-09-16  10:42:21
    Nachricht: nicht verschlüsselt 
    Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
    _____________________________________________________________________
    
    Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
    > Dear all,
    >
    > we are thinking about using a DNS Load-Balancer to distribute a huge count of strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer should detect the failure of VPN gateways and remove them from the DNS responses, thus poviding a kind of availability and failover.
    >
    > Here is the challenge:
    > If the strongswan clients detects the failure of a connection (e.g. DPD), it must send a new DNS request to retrieve a list of still available gateways and reconnect to one of them.
    >
    > From what I have read, I believe strongswan only does the DNS resolution of the peer only once, when it reads the connection configuration.
    >
    > Does anyone have an idea, how solve the described requirement. Naturally, any alternative proposals to address this load distribution and failover requirements are welcome.
    >
    > Best Regards
    > --
    > Markus
    >
    
    hi,
    
    
    we implemented a kind of such solution.
    
    
    We had all VPN server in one or two datacenters that were close to each
    other. So need for a geographic distribution of the clients.
    
    DNS also was our first idea, but for some reasons we finally chose a
    wrapper solution fot the client config.
    
    
    DNS also should be possible and finally be superior solution. But you
    really want to implement DNSsec. You also could distribute keys or
    certificates of the servers in DNS. Thus the need to install (and
    update) the server authority on the clients is solved.
    
    
    After all, this should work quite well.
    
    
    Mit freundlichen Grüßen,
    
    -- 
    
    [*] sys4 AG
     
    https://sys4.de, +49 (89) 30 90 46 64
    Schleißheimer Straße 26/MG,80333 München
     
    Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
    Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
    Aufsichtsratsvorsitzender: Florian Kirstein
    
    
    

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2006 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180916/d762cb40/attachment.bin>


More information about the Users mailing list