On 30/06/2022 17:56, Michael Schwartzkopff wrote:
On 30.06.22 18:00, Luke Davis wrote:
Hi,
I've got two firewalls in failover but whenever the strongswan service
moves between firewalls it doesn't automatically startup the tunnels.
Dead peer detection (DPD) on client side.
Is there a recommended way to do this/how have others implemented
failover? either by custom script detecting a failure for auto
recovery or some config option I've missed in strongswan or the
systemd service.
Most simple solution: VRRP with keepalive.
For failover, I'm using corosync and pacemaker.
That is also possible. Just add the strongswan resource to pacemaker and
create a group over all services.
This is the route I've gone down, I've got the strongswan setup as a
resource but if it gets restarted/moved to the -b side it won't bring
the tunnel up.
primitive IpSec systemd:strongswan \
op monitor interval=30s timeout=40s \
meta target-role=Started
Mit freundlichen Grüßen,
--
All postal correspondence to:
The Positive Internet Company, 24 Ganton Street, London. W1F 7QY
*Follow us on Twitter* @posipeople
The Positive Internet Company Limited is registered in England and Wales.
Registered company number: 3673639. VAT no: 726 7072 28.
Registered office: Northside House, Mount Pleasant, Barnet, Herts, EN4 9EE.
