Re: [strongSwan] Can StrongSwan be loadbalanced?

[Anvar Kuchkartaev]

Sadly I don't have direct tutorial in this case. After I sent reply for last time about high availability documentation of strongswan I made research about if it is possible to manipulate over Layer 4 directly in linux kernel and I found several interesting things about how to route and high availability in layer 4 stack.  ‎http://www.keepalived.org/ ‎http://backreference.org/2013/04/03/firewall-ha-with-conntrackd-and-keepalived/ ‎https://lwn.net/Articles/108078/ https://www.bggofurther.com/2015/02/how-to-setup-an-ipsec-tunnel-with-strongswan-with-high-availability-on-linux/ Unfortunately I never had a chance to test high availability in strongswan due to lack of hardware but if I ‎would do it I would configure public ip address to multicast mac to deliver packets to all hosts, synchronisation of iptables firewall with conntrackd, layer 4 (including ah, esp, and udp 500, 4500 connections) synchronisation with keepalived, and synchronisation of ipsec SAs using strongswan high availability plugin. The only thing lacks here is to see documentation of stronswan ha plugin and I think it is better to contact with strongswan development team directly to get it. Or alternatively you might forget about synchronisation of ipsec SAs like in: ‎https://www.bggofurther.com/2015/02/how-to-setup-an-ipsec-tunnel-with-strongswan-with-high-availability-on-linux/ And rely on client reconnection (most android clients try to re-establish connection in case of service restarts). If you find solution to synchronise ‎ipsec SA or you encounter with additional failures or successes I will be happy to know it (for me it is also interesting). Anvar  Kuchkartaev an...@anvartay.com  From: Houman Sent: viernes, 17 de noviembre de 2017 10:11 p.m. To: Anvar Kuchkartaev Cc: users@lists.strongswan.org Subject: Re: [strongSwan] Can StrongSwan be loadbalanced? Thanks Anvar, I was very excited about the link https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability that you shared earlier. Unfortunately, it doesn't do a good job of explaining how two StrongSwan servers have to be set up to work in collaboration, in order to share the traffic and take over if one of them fails. Do you happen to know a step by step tutorial?  I haven't found anything on google. Thanks, On Mon, Nov 13, 2017 at 4:36 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote: 50 and 51 there are protocol identifiers not port numbers. They are not tcp and not udp they are different transport layer protocols (the same layer resides tcp and udp). Protocol 50 is protocol ESP (Encapsulating Security Payload), protocol 51 is AH (Authentication Header).  ‎https://en.m.wikipedia.org/wiki/List_of_IP_protocol_numbers You might be interested following articles: ‎http://www.linuxvirtualserver.org/software/ipvs.html https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability Anvar Kuchkartaev  an...@anvartay.com  From: Houman Sent: lunes, 13 de noviembre de 2017 04:19 p.m. To: users@lists.strongswan.org Subject: [strongSwan] Can StrongSwan be loadbalanced? Hello, I have made quite a bit of research on how to load balance StrongSwan, however, I get contradicting messages. e.g. from my understanding, StrongSwan (IKEv2) works over UDP and not TCP.  Hence Aws load balancer is out of the question.  But so is HAProxy !!! But I discovered that latest NGINX 1.10+ supports UDP load balancing and it was easy to set it up. I am currently listening to ports 500 and 4500 and it doesn't quite work. I have raised an issue here: https://wiki.strongswan.org/issues/2464 Do I need to listen to port 50 and 51 as well? Any tips or advice for me, please? Many Thanks, Houman