[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    [Openswan Users] Pluto and replication of SADs and SPDs
From:       Wieland Gmeiner <wieland.gmeiner () linbit ! com>
Date:       2008-08-27 12:15:30
Message-ID: 200808271415.36026.wieland.gmeiner () linbit ! com
[Download RAW message or body]


Hi all,

I'm trying to build a clustered ipsec gateway (to skip tunnel negotiation in 
case of cluster node failover) by replicating the Security Associations and 
Security Policies pluto established with its other tunnel endpoints. But for 
some reason pluto or ipsec ignores these replicated SADs and SPDs on the 
other clusternode when I start it there.

I prevent pluto flushing any SAD/SPD entries by a kill -KILL instead of
using the init script and when starting pluto by commenting out any flushes
in the scripts in /usr/lib/ipsec/ so pluto has the same SADs and SPDs in
the same order when starting on the other clusternode as he had on the
clusternode where he originally established the connections. I verify that
pluto listens on the service IP that is moved to the other clusternode with
ifconfig before pluto is started there.

It makes no difference whether I insert the data with setkey or directly
using the netlink PF_KEY interface.

Any hints/help appreciated.

Sorry for crossposting, not sure where my problem fits better.

Thanks a lot,
-- 
: Wieland Gmeiner                               Tel +43-1-8178292-57  :
: LINBIT Information Technologies GmbH          Fax +43-1-8178292-82  :
: Vivenotgasse 48, A-1120 Vienna/Europe         http://www.linbit.com :

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]