[strongSwan] ipsec failover systemd service
Luke Davis
luked at positive-internet.com
Thu Jun 30 19:29:46 CEST 2022
On 30/06/2022 17:56, Michael Schwartzkopff wrote:
> On 30.06.22 18:00, Luke Davis wrote:
>> Hi,
>>
>> I've got two firewalls in failover but whenever the strongswan service
>> moves between firewalls it doesn't automatically startup the tunnels.
>>
>
> Dead peer detection (DPD) on client side.
>
>
>> Is there a recommended way to do this/how have others implemented
>> failover? either by custom script detecting a failure for auto
>> recovery or some config option I've missed in strongswan or the
>> systemd service.
>
>
> Most simple solution: VRRP with keepalive.
>
>
>>
>> For failover, I'm using corosync and pacemaker.
>
>
> That is also possible. Just add the strongswan resource to pacemaker and
> create a group over all services.
This is the route I've gone down, I've got the strongswan setup as a
resource but if it gets restarted/moved to the -b side it won't bring
the tunnel up.
primitive IpSec systemd:strongswan \
op monitor interval=30s timeout=40s \
meta target-role=Started
>
> Mit freundlichen Grüßen,
>
--
All postal correspondence to:
The Positive Internet Company, 24 Ganton Street, London. W1F 7QY
*Follow us on Twitter* @posipeople
The Positive Internet Company Limited is registered in England and Wales.
Registered company number: 3673639. VAT no: 726 7072 28.
Registered office: Northside House, Mount Pleasant, Barnet, Herts, EN4 9EE.
More information about the Users
mailing list