[Openswan dev] Pluto and replication of SADs and SPDs

Wieland Gmeiner wieland.gmeiner at linbit.com
Wed Aug 27 08:15:30 EDT 2008


Hi all,

I'm trying to build a clustered ipsec gateway (to skip tunnel negotiation in 
case of cluster node failover) by replicating the Security Associations and 
Security Policies pluto established with its other tunnel endpoints. But for 
some reason pluto or ipsec ignores these replicated SADs and SPDs on the 
other clusternode when I start it there.

I prevent pluto flushing any SAD/SPD entries by a kill -KILL instead of
using the init script and when starting pluto by commenting out any flushes
in the scripts in /usr/lib/ipsec/ so pluto has the same SADs and SPDs in
the same order when starting on the other clusternode as he had on the
clusternode where he originally established the connections. I verify that
pluto listens on the service IP that is moved to the other clusternode with
ifconfig before pluto is started there.

It makes no difference whether I insert the data with setkey or directly
using the netlink PF_KEY interface.

Any hints/help appreciated.

Sorry for crossposting, not sure where my problem fits better.

Thanks a lot,
-- 
: Wieland Gmeiner                               Tel +43-1-8178292-57  :
: LINBIT Information Technologies GmbH          Fax +43-1-8178292-82  :
: Vivenotgasse 48, A-1120 Vienna/Europe         http://www.linbit.com :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.openswan.org/pipermail/dev/attachments/20080827/85047ba3/attachment.bin 


More information about the Dev mailing list