[Openswan Users] ARP cache

Lionel Cottin cottin at free.fr
Fri Dec 2 10:59:21 CET 2005

Dear OpenSwan gurus,

I'm running OpenSwan (kernel 2.4.32 KLIPS + OpenSwan 2.4.4) HA clusters 
using heartbeat. These clusters are connected "behind" Checkpoint HA 
clusters and now here's my problem (i.e. the OpenSwan's default gateway 
is the checkpoint cluster's IP):

When a Checkpoint node dies, Checkpoint failover occurs and the passive 
node becomes active; that's fine.
On the OpenSwan side, the active node remains active but all IPSEC 
connections are turned into "hold" state and IPSEC connectivity does not 
recover unless I shut IPSEC down and restart it.
My feeling is that OpenSwan is still sending IPSEC frames using the dead 
checkpoint node's MAC address. However it's still possible to connect 
the OpenSwan node over SSH for example so it looks like there's some 
"ARP caching" performed on the ipsec0 interface not being updated when 
the default gateway's MAC address is replaced on the underlying physical 
interface (eth0).

Is that a known behaviour ? Should I had some additional failover 
criteria in my heartbeat Cluster ? Is there a way to force OpenSwan 
re-calculating the destination MAC address to use within IPSEC frames ?


More information about the Users mailing list