Hi, all the different approaches like local traffic LBs, client wrappers with gateway failure detection and even multiple simultaneous tunnels from the client to different gateways have been on the table, were evaluated and most of them are already in use in other projects successfully.
The DNS idea is just another option which has some advantages in large scale,
so I wanted to discuss this approach, how it is supported by strongswan
standard behaviour. If it is not, there is still the option the write a wrapper
or Vici event handler that reloads the connection to force the DNS refresh.
Best Regards
Markus
Am 16.09.18, 14:53 schrieb "Users im Auftrag von Michael Schwartzkopff"
<users-boun...@lists.strongswan.org im Auftrag von m...@sys4.de>:
_____________________________________________________________________
Sicherheitsprüfung / 2018-09-16 14:53:05
Nachricht: nicht verschlüsselt
Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
_____________________________________________________________________
Am 16.09.2018 um 13:23 schrieb Markus P. Beckhaus:
> Hi Michael,
>
> thanks for your fast reply. The background of my question is to implement
failover with strongswan standard mechanisms wherever possible.
>
> In fact I do have *swan implementations in the field with wrappers for
load distribution and failover, but I'd rather get rid of as much individual
code as I can.
>
> Best Regards
>
> Markus
>
>
>
> Am 16.09.18, 10:42 schrieb "Users im Auftrag von Michael Schwartzkopff"
<users-boun...@lists.strongswan.org im Auftrag von m...@sys4.de>:
>
> _____________________________________________________________________
>
> Sicherheitsprüfung / 2018-09-16 10:42:21
> Nachricht: nicht verschlüsselt
> Signatur: Nicht überprüfbar (Unterzeichner unbekannt)
> _____________________________________________________________________
>
> Am 16.09.2018 um 09:34 schrieb Markus P. Beckhaus:
> > Dear all,
> >
> > we are thinking about using a DNS Load-Balancer to distribute a
huge count of strongswan clients to multiple VPN gatweways. Also, the DNS
Load-Balancer should detect the failure of VPN gateways and remove them from
the DNS responses, thus poviding a kind of availability and failover.
> >
> > Here is the challenge:
> > If the strongswan clients detects the failure of a connection (e.g.
DPD), it must send a new DNS request to retrieve a list of still available
gateways and reconnect to one of them.
> >
> > From what I have read, I believe strongswan only does the DNS
resolution of the peer only once, when it reads the connection configuration.
> >
> > Does anyone have an idea, how solve the described requirement.
Naturally, any alternative proposals to address this load distribution and
failover requirements are welcome.
> >
> > Best Regards
> > --
> > Markus
> >
>
> hi,
>
>
> we implemented a kind of such solution.
>
>
> We had all VPN server in one or two datacenters that were close to
each
> other. So need for a geographic distribution of the clients.
>
> DNS also was our first idea, but for some reasons we finally chose a
> wrapper solution fot the client config.
>
>
> DNS also should be possible and finally be superior solution. But you
> really want to implement DNSsec. You also could distribute keys or
> certificates of the servers in DNS. Thus the need to install (and
> update) the server authority on the clients is solved.
>
>
> After all, this should work quite well.
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
>
>
Hi,
answering to the list, since it might be of general interest.
first of all, in my opinion you want to have a local loadbalancer in a
datacenter. It distrobutes the clients to the several servers in the
datacenter. Especially if you have some 100k clients, you need multiple
servers in each datacenter.
loadbalancers detect outages of servers and redirect the client to the
next available server.
DNS RR distribution: The problems as far as I see, is that the ipsec
client cannot detect the availability of a VPN server and automaticaly
failover to the next available server. When the clients starts and the
fqdn of the server is configued, it looks up the A (or AAAA) RR in DNS.
It tries to connect to that IP address even, if it not available any more.
A wrapper does nothing else to check the availability of the VPN server
in use and reconfigres the connection to the next best available server
if the server got down. The wrapper also can measure the answering time
to choose the next best available.
The wrapper is completely separate from the VPN client (ipsec) software
that established the connection. The wrapper uses the swnctl interface
to re-configure the vpn client in case.
DNS with DNSsec is cool since you can use it to do the authentication of
the VPN server completely in DNS. No thirds party CAs any more that you
have to distribute to your clients.
Greetings,
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
smime.p7s
Description: S/MIME cryptographic signature
