Thank you so much Martin. Best wishes
On Mon, Dec 3, 2012 at 1:31 PM, Martin Willi <[email protected]> wrote: > Hi, > >> what is type of heartbeat packet? I mean when I use tcpdump, what >> should I see? > > Heartbeats use UDP packets to port 4510, equal to those sent for state > synchronization. > >> I asked this because I think in my test, heartbeats were >> not sent. If the heartbeats were not sent, how can I find the problem? > > By default heartbeats are enabled, but this can be changed using the > "monitor" options in the ha plugin subsection of strongswan.conf. Also > have a look at the heartbeat_delay and heartbeat_timeout options. > >> Is it really an active-active HA or it is just for load sharing? > > As said, it is pseudo-active-active. Each CHILD_SA is handled > active-passive, but with multiple CHILD_SAs each node is handling some > CHILD_SAs actively, some passively, sharing load. > >> if the first part is correct, what happens if the link that heartbeats >> are sent over it goes down? Which of the nodes is handling the >> traffic? > > If no heartbeats are received, each node has to assume that the other > node died. Both then take over responsibility for the tunnels. This gets > problematic with IPsec sequence numbers, and you'll end up with many > doubled inbound packets and conflicting outbound packets, likely to kill > any connection over it. > > It is therefore recommended to use a simple and direct link for > heartbeat and synchronization, and/or have redundant equipment for this > link. > > Regards > Martin > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
