Project

General

Profile

Feature #3047

Network namespaces and High Availability

Added by Antonio Mancina 4 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
high availability (ha plugin)
Target version:
-
Start date:
08.05.2019
Due date:
Estimated time:
Resolution:

Description

Hi all,

did anyone ever experiment with the combination of the two features?

I have a deployment in which two backend IPSEC terminators shall work in active-passive mode with HA, but on those servers there are multiple network namespaces and one charon daemon for each of them (everything works according to https://wiki.strongswan.org/projects/strongswan/wiki/Netns).

Before trying to follow the approach described in https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability I would like to know if there's any reason why this might not work as expected.

Thanks a lot.
Antonio

History

#1 Updated by Tobias Brunner 4 months ago

  • Status changed from New to Feedback

did anyone ever experiment with the combination of the two features?

I remember somebody doing that several years ago. Basically seemed to work (at least if the kernel was not too old), but I don't know if that project ever got completed.

#2 Updated by Antonio Mancina 4 months ago

Tobias Brunner wrote:

did anyone ever experiment with the combination of the two features?

I remember somebody doing that several years ago. Basically seemed to work (at least if the kernel was not too old), but I don't know if that project ever got completed.

In such a scenario, maybe it would not be that wise considering it for production deployments. Do you agree?

I would rather go for a "cold" redundancy mechanism (every client restarting its tunnel after a while after a manual migration of the terminator).

Thanks a lot.

#3 Updated by Tobias Brunner 4 months ago

In such a scenario, maybe it would not be that wise considering it for production deployments. Do you agree?

It is used in production (whether in combination with netns or not I don't know). But you have to decide for yourself (also consider that ClusterIP is officially deprecated and does only support IPv4).

I would rather go for a "cold" redundancy mechanism (every client restarting its tunnel after a while after a manual migration of the terminator).

If it's a scheduled migration, you might want to consider using IKEv2 redirection (supported since 5.4.0).

#4 Updated by Antonio Mancina 4 months ago

Tobias Brunner wrote:

[cut]

Thanks Tobias.
I will steal just a bit more of your time to ask your opinion about the domain which I am working in.

We have a deployment with two servers operating both as firewalls and IPSEC concentrators. The setup is of the master/slave type (the slave is ready to take over in case of a master unexpected failure, so no scheduled migrations are considered).

Both the servers are configured with multiple network namespace, one for every customer: we separate network domain for them, for many reasons (address reuse, privacy, security, ...). This configuration is kept in sync (even if it's of no use for the slave server).

Strongswan is configured with a charon daemon for each netns. All strongswan configuration files are also kept in sync between master and slave servers.

My questions about HA is tightly bound to the multiple netns nature of our deployment: I made a few quick tests and, although sometimes it appears to work as expected, sometimes it seems it does not (I do not have a usecase report, though, since I just had to perform some initial assessment).

Given the reasons you added for an informed decision (clusterIP being deprecated and IPv6 not supported), how would you setup a redundancy mechanism in such a scenario?

We would like to minimize the impact of a possible data connection disruption for our IPSEC clients, so I always considered the HA framework as the only possible solution.

I will very gladly read your comments on it.

Thanks a lot,
Antonio

#5 Updated by Tobias Brunner 3 months ago

Given the reasons you added for an informed decision (clusterIP being deprecated and IPv6 not supported), how would you setup a redundancy mechanism in such a scenario?

We would like to minimize the impact of a possible data connection disruption for our IPSEC clients, so I always considered the HA framework as the only possible solution.

In active-passive scenarios you can use the HA plugin without kernel patch (I think there are users that even use it on FreeBSD). The CHILD_SAs will just have to get rekeyed when a failover occurs (to do so one can trigger a resync via UNIX socket to initiate a rekeying).

Also available in: Atom PDF