Would like to know why IPSEC_SA is synced to standby node by triggering rekey in HA scenario
I would like to know why IPSEC_SA is synced to standby node from active node by triggering rekey.
Why IPSEC_SA synchronization is similar to IKE_SA to fetch from cache?
Whether there is some background or rationale for such mechanism?
Looking forward your reply
#1 Updated by Tobias Brunner almost 2 years ago
- Category set to high availability (ha plugin)
- Status changed from New to Feedback
One reason is that IPsec keys are generally not stored by the IKE daemon. But more importantly, the sequence numbers are not actively synced by the daemon in the current HA solution, but directly via cluster IP. So IPsec SAs (in particular outbound SAs) couldn't be used by the integrated node even if the keys would be synced. This is actually described on HighAvailability.