Re: [strongSwan] DNS LoadBalancing and Failover

Sun, 16 Sep 2018 04:23:48 -0700 

Hi Michael,

thanks for your fast reply. The background of my question is to implement 
failover with strongswan standard mechanisms wherever possible.

In fact I do have *swan implementations in the field with wrappers for load 
distribution and failover, but I'd rather get rid of as much individual code as 
I can.

Best Regards

Markus 



Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff" 
<users-boun...@lists.strongswan.org im Auftrag von m...@sys4.de>:

    _____________________________________________________________________
    
    Sicherheitsprüfung  /  2018-09-16  10:42:21
    Nachricht: nicht verschlüsselt 
    Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
    _____________________________________________________________________
    
    Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
    > Dear all,
    >
    > we are thinking about using a DNS Load-Balancer to distribute a huge 
count of strongswan clients to multiple VPN gatweways. Also, the DNS 
Load-Balancer should detect the failure of VPN gateways and remove them from 
the DNS responses, thus poviding a kind of availability and failover.
    >
    > Here is the challenge:
    > If the strongswan clients detects the failure of a connection (e.g. DPD), 
it must send a new DNS request to retrieve a list of still available gateways 
and reconnect to one of them.
    >
    > From what I have read, I believe strongswan only does the DNS resolution 
of the peer only once, when it reads the connection configuration.
    >
    > Does anyone have an idea, how solve the described requirement. Naturally, 
any alternative proposals to address this load distribution and failover 
requirements are welcome.
    >
    > Best Regards
    > --
    > Markus
    >
    
    hi,
    
    
    we implemented a kind of such solution.
    
    
    We had all VPN server in one or two datacenters that were close to each
    other. So need for a geographic distribution of the clients.
    
    DNS also was our first idea, but for some reasons we finally chose a
    wrapper solution fot the client config.
    
    
    DNS also should be possible and finally be superior solution. But you
    really want to implement DNSsec. You also could distribute keys or
    certificates of the servers in DNS. Thus the need to install (and
    update) the server authority on the clients is solved.
    
    
    After all, this should work quite well.
    
    
    Mit freundlichen Grüßen,
    
    -- 
    
    [*] sys4 AG
     
    https://sys4.de, +49 (89) 30 90 46 64
    Schleißheimer Straße 26/MG,80333 München
     
    Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
    Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
    Aufsichtsratsvorsitzender: Florian Kirstein

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to