[Openswan Users] ARP cache

Trevor Benson TrevorBenson at a-1networks.com
Fri Dec 2 10:36:43 CET 2005


> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
On
> Behalf Of Lionel Cottin
> Sent: Friday, December 02, 2005 1:59 AM
> To: users at openswan.org
> Subject: [Openswan Users] ARP cache
> 
> Dear OpenSwan gurus,
> 
> I'm running OpenSwan (kernel 2.4.32 KLIPS + OpenSwan 2.4.4) HA
clusters
> using heartbeat. These clusters are connected "behind" Checkpoint HA
> clusters and now here's my problem (i.e. the OpenSwan's default
gateway
> is the checkpoint cluster's IP):

Not familiar with Checkpoints HA portions, does the Checkpoints
"cluster's IP" a virtual IP that is monitored by both checkpoints, and
they have real IP's behind them?  In many cases the virtual IP will have
a virtual MAC that will be handled by the active system, when failover
occurs the standby emulates that same MAC address.  Does your system
just emulate the active IP from the standby if it dies, but not use a
virtual IP for them to share?

> When a Checkpoint node dies, Checkpoint failover occurs and the
passive
> node becomes active; that's fine.
> On the OpenSwan side, the active node remains active but all IPSEC
> connections are turned into "hold" state and IPSEC connectivity does
not
> recover unless I shut IPSEC down and restart it.
> My feeling is that OpenSwan is still sending IPSEC frames using the
dead
> checkpoint node's MAC address. However it's still possible to connect
> the OpenSwan node over SSH for example so it looks like there's some
> "ARP caching" performed on the ipsec0 interface not being updated when
> the default gateway's MAC address is replaced on the underlying
physical
> interface (eth0).

Not familiar with Checkpoints HA portions, does the Checkpoints
"cluster's IP"


> Is that a known behaviour ? Should I had some additional failover
> criteria in my heartbeat Cluster ? Is there a way to force OpenSwan
> re-calculating the destination MAC address to use within IPSEC frames
?
> 
> regards,
> Lionel
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users



Thank you,
Trevor Benson
A1 Networks


More information about the Users mailing list