[strongSwan] ipsec failover systemd service
Noel Kuntze
noel.kuntze at thermi.consulting
Thu Jun 30 20:54:40 CEST 2022
Hi Luke,
You can add a command in charon.start-actions to start the tunnel (didn't check if there's a race condition or so) or upgrade and use the new start_action that routes and starts the tunnel.
Kind regards
Noel
Am 30.06.22 um 19:29 schrieb Luke Davis:
>
> On 30/06/2022 17:56, Michael Schwartzkopff wrote:
>> On 30.06.22 18:00, Luke Davis wrote:
>>> Hi,
>>>
>>> I've got two firewalls in failover but whenever the strongswan service moves between firewalls it doesn't automatically startup the tunnels.
>>>
>>
>> Dead peer detection (DPD) on client side.
>>
>>
>>> Is there a recommended way to do this/how have others implemented failover? either by custom script detecting a failure for auto recovery or some config option I've missed in strongswan or the systemd service.
>>
>>
>> Most simple solution: VRRP with keepalive.
>>
>>
>>>
>>> For failover, I'm using corosync and pacemaker.
>>
>>
>> That is also possible. Just add the strongswan resource to pacemaker and create a group over all services.
>
>
> This is the route I've gone down, I've got the strongswan setup as a resource but if it gets restarted/moved to the -b side it won't bring the tunnel up.
>
> primitive IpSec systemd:strongswan \
> op monitor interval=30s timeout=40s \
> meta target-role=Started
>
>
>
>>
>> Mit freundlichen Grüßen,
>>
>
More information about the Users
mailing list