[strongSwan] ipsec failover systemd service

Noel Kuntze noel.kuntze at thermi.consulting
Thu Jun 30 20:54:40 CEST 2022


Hi Luke,

You can add a command in charon.start-actions to start the tunnel (didn't check if there's a race condition or so) or upgrade and use the new start_action that routes and starts the tunnel.

Kind regards
Noel

Am 30.06.22 um 19:29 schrieb Luke Davis:
> 
> On 30/06/2022 17:56, Michael Schwartzkopff wrote:
>> On 30.06.22 18:00, Luke Davis wrote:
>>> Hi,
>>>
>>> I've got two firewalls in failover but whenever the strongswan service moves between firewalls it doesn't automatically startup the tunnels.
>>>
>>
>> Dead peer detection (DPD) on client side.
>>
>>
>>> Is there a recommended way to do this/how have others implemented failover? either by custom script detecting a failure for auto recovery or some config option I've missed in strongswan or the systemd service.
>>
>>
>> Most simple solution: VRRP with keepalive.
>>
>>
>>>
>>> For failover, I'm using corosync and pacemaker.
>>
>>
>> That is also possible. Just add the strongswan resource to pacemaker and create a group over all services.
> 
> 
> This is the route I've gone down, I've got the strongswan setup as a resource but if it gets restarted/moved to the -b side it won't bring the tunnel up.
> 
> primitive IpSec systemd:strongswan \
>          op monitor interval=30s timeout=40s \
>          meta target-role=Started
> 
> 
> 
>>
>> Mit freundlichen Grüßen,
>>
> 


More information about the Users mailing list