Hello, I'm looking for info on a very basic failover system. Nothing like what is in the StrongSwan whitepapers with ClusterIP and so on.
I'm just using several instances of StrongSwan spread across several
servers, only one of them bears a virtual IP, managed by keepalived.
The only issue that I see is that when a tunnel is established between a
client and a server, if I want to switch the virtual IP to another
server, it takes a lot of time for the client to "realize" that it can't
keep on talking with a server who knows nothing about a previously
established SA with another server.
So my questions are :
- shouldn't the client try to reestablish a connexion if DPD shows
that there is no answer, like... quite fast ?
- couldn't the "new" server just say to the client "back off man, I
don't know your SAs, please just reauth with me, and we'll see what we
can do" ?
... or something like that ?
Thanks !
Hoggins!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
