Hi, > what is type of heartbeat packet? I mean when I use tcpdump, what > should I see?
Heartbeats use UDP packets to port 4510, equal to those sent for state synchronization. > I asked this because I think in my test, heartbeats were > not sent. If the heartbeats were not sent, how can I find the problem? By default heartbeats are enabled, but this can be changed using the "monitor" options in the ha plugin subsection of strongswan.conf. Also have a look at the heartbeat_delay and heartbeat_timeout options. > Is it really an active-active HA or it is just for load sharing? As said, it is pseudo-active-active. Each CHILD_SA is handled active-passive, but with multiple CHILD_SAs each node is handling some CHILD_SAs actively, some passively, sharing load. > if the first part is correct, what happens if the link that heartbeats > are sent over it goes down? Which of the nodes is handling the > traffic? If no heartbeats are received, each node has to assume that the other node died. Both then take over responsibility for the tunnels. This gets problematic with IPsec sequence numbers, and you'll end up with many doubled inbound packets and conflicting outbound packets, likely to kill any connection over it. It is therefore recommended to use a simple and direct link for heartbeat and synchronization, and/or have redundant equipment for this link. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
