Project

General

Profile

Issue #2864

Would like to know why IPSEC_SA is synced to standby node by triggering rekey in HA scenario

Added by Xiaoqiang Fu almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Category:
high availability (ha plugin)
Affected version:
5.6.1
Resolution:
No feedback

Description

Hi expert,

I would like to know why IPSEC_SA is synced to standby node from active node by triggering rekey.
Why IPSEC_SA synchronization is similar to IKE_SA to fetch from cache?

Whether there is some background or rationale for such mechanism?

Looking forward your reply

Regards,
Yang Li

History

#1 Updated by Tobias Brunner almost 2 years ago

  • Category set to high availability (ha plugin)
  • Status changed from New to Feedback

One reason is that IPsec keys are generally not stored by the IKE daemon. But more importantly, the sequence numbers are not actively synced by the daemon in the current HA solution, but directly via cluster IP. So IPsec SAs (in particular outbound SAs) couldn't be used by the integrated node even if the keys would be synced. This is actually described on HighAvailability.

#2 Updated by Tobias Brunner almost 2 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF