Daniel, > Is this the new feature of High Availability for IPsec RFC-6311 ?
Our HA solution works different and is not based on RFC 6311. In fact, we don't need any additional protocol support in IKEv2 between server and client, all the synchronization is done between the cluster nodes directly. > Does this patch generate IKE exchanges to increases IPsec Counters? We use ClusterIP to keep the sequence counters up to date, no IKE exchange is involved. This has the big advantage that it works with any IKEv2 client. > I thought that the first patches didn't increase the IPsec replay > counters. Is this a new feature in ha3.3? Or since when did you > developed this capability? One issue that might arise with the ClusterIP sequence update is that we might miss some packets due to packet loss. This can be problematic for outgoing packets, as the peer might reject a few packets after failover, breaking connections. As a work-around, I've implemented a "failover advance" mechanism with these last two commits: After a failover, we advance the replay counter for outgoing messages by a certain window. This will make sure we don't use sequence numbers for packets already processed by the responder. Doesn't change anything fundamental, but certainly can improve connection reliability after a failover. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
