[strongSwan] ipsec failover systemd service
Michael Schwartzkopff
ms at sys4.de
Thu Jun 30 21:17:44 CEST 2022
On 30.06.22 19:29, Luke Davis wrote:
>
> On 30/06/2022 17:56, Michael Schwartzkopff wrote:
>> On 30.06.22 18:00, Luke Davis wrote:
>>> Hi,
>>>
>>> I've got two firewalls in failover but whenever the strongswan
>>> service moves between firewalls it doesn't automatically startup the
>>> tunnels.
>>>
>>
>> Dead peer detection (DPD) on client side.
>>
>>
>>> Is there a recommended way to do this/how have others implemented
>>> failover? either by custom script detecting a failure for auto
>>> recovery or some config option I've missed in strongswan or the
>>> systemd service.
>>
>>
>> Most simple solution: VRRP with keepalive.
>>
>>
>>>
>>> For failover, I'm using corosync and pacemaker.
>>
>>
>> That is also possible. Just add the strongswan resource to pacemaker
>> and create a group over all services.
>
>
> This is the route I've gone down, I've got the strongswan setup as a
> resource but if it gets restarted/moved to the -b side it won't bring
> the tunnel up.
>
> primitive IpSec systemd:strongswan \
> op monitor interval=30s timeout=40s \
> meta target-role=Started
>
>
That is why I wrote to put all in one group. So all resources stay on
the same node together.
Depending on the config of strongswan, the resource starts the tunnel or
not. Depending on the config. That is why I wrote to use DPD to ensure
the start of the tunnel.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Users
mailing list