[strongSwan] DNS LoadBalancing and Failover

Michael Schwartzkopff ms at sys4.de
Sun Sep 16 14:52:49 CEST 2018


Am 16.09.2018 um 13:23 schrieb Markus P. Beckhaus:
> Hi Michael,
>
> thanks for your fast reply. The background of my question is to implement failover with strongswan standard mechanisms wherever possible.
>
> In fact I do have *swan implementations in the field with wrappers for load distribution and failover, but I'd rather get rid of as much individual code as I can.
>
> Best Regards
>
> Markus 
>
>
>
> Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" <users-bounces at lists.strongswan.org im Auftrag von ms at sys4.de>:
>
>     _____________________________________________________________________
>     
>     Sicherheitsprüfung  /  2018-09-16  10:42:21
>     Nachricht: nicht verschlüsselt 
>     Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
>     _____________________________________________________________________
>     
>     Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
>     > Dear all,
>     >
>     > we are thinking about using a DNS Load-Balancer to distribute a huge count of strongswan clients to multiple VPN gatweways. Also, the DNS Load-Balancer should detect the failure of VPN gateways and remove them from the DNS responses, thus poviding a kind of availability and failover.
>     >
>     > Here is the challenge:
>     > If the strongswan clients detects the failure of a connection (e.g. DPD), it must send a new DNS request to retrieve a list of still available gateways and reconnect to one of them.
>     >
>     > From what I have read, I believe strongswan only does the DNS resolution of the peer only once, when it reads the connection configuration.
>     >
>     > Does anyone have an idea, how solve the described requirement. Naturally, any alternative proposals to address this load distribution and failover requirements are welcome.
>     >
>     > Best Regards
>     > --
>     > Markus
>     >
>     
>     hi,
>     
>     
>     we implemented a kind of such solution.
>     
>     
>     We had all VPN server in one or two datacenters that were close to each
>     other. So need for a geographic distribution of the clients.
>     
>     DNS also was our first idea, but for some reasons we finally chose a
>     wrapper solution fot the client config.
>     
>     
>     DNS also should be possible and finally be superior solution. But you
>     really want to implement DNSsec. You also could distribute keys or
>     certificates of the servers in DNS. Thus the need to install (and
>     update) the server authority on the clients is solved.
>     
>     
>     After all, this should work quite well.
>     
>     
>     Mit freundlichen Grüßen,
>     
>     -- 
>     
>     [*] sys4 AG
>      
>     https://sys4.de, +49 (89) 30 90 46 64
>     Schleißheimer Straße 26/MG,80333 München
>      
>     Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>     Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>     Aufsichtsratsvorsitzender: Florian Kirstein
>     
>     
>     
>

Hi,


answering to the list, since it might be of general interest.


first of all, in my opinion you want to have a local loadbalancer in a
datacenter. It distrobutes the clients to the several servers in the
datacenter. Especially if you have some 100k clients, you need multiple
servers in each datacenter.

loadbalancers detect outages of servers and redirect the client to the
next available server.


DNS RR distribution: The problems as far as I see, is that the ipsec
client cannot detect the availability of a VPN server and automaticaly
failover to the next available server. When the clients starts and the
fqdn of the server is configued, it looks up the A (or AAAA) RR in DNS.
It tries to connect to that IP address even, if it not available any more.

A wrapper does nothing else to check the availability of the VPN server
in use and reconfigres the connection to the next best available server
if the server got down. The wrapper also can measure the answering time
to choose the next best available.


The wrapper is completely separate from the VPN client (ipsec) software
that established the connection. The wrapper uses the swnctl interface
to re-configure the vpn client in case.


DNS with DNSsec is cool since you can use it to do the authentication of
the VPN server completely in DNS. No thirds party CAs any more that you
have to distribute to your clients.


Greetings,


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180916/5b4914f7/attachment.sig>


More information about the Users mailing list