[Openswan Users] ARP cache
Lionel Cottin
cottin at free.fr
Fri Dec 2 10:59:21 CET 2005
Dear OpenSwan gurus,
I'm running OpenSwan (kernel 2.4.32 KLIPS + OpenSwan 2.4.4) HA clusters
using heartbeat. These clusters are connected "behind" Checkpoint HA
clusters and now here's my problem (i.e. the OpenSwan's default gateway
is the checkpoint cluster's IP):
When a Checkpoint node dies, Checkpoint failover occurs and the passive
node becomes active; that's fine.
On the OpenSwan side, the active node remains active but all IPSEC
connections are turned into "hold" state and IPSEC connectivity does not
recover unless I shut IPSEC down and restart it.
My feeling is that OpenSwan is still sending IPSEC frames using the dead
checkpoint node's MAC address. However it's still possible to connect
the OpenSwan node over SSH for example so it looks like there's some
"ARP caching" performed on the ipsec0 interface not being updated when
the default gateway's MAC address is replaced on the underlying physical
interface (eth0).
Is that a known behaviour ? Should I had some additional failover
criteria in my heartbeat Cluster ? Is there a way to force OpenSwan
re-calculating the destination MAC address to use within IPSEC frames ?
regards,
Lionel
More information about the Users
mailing list