[Openswan Users] ARP cache

Lionel Cottin cottin at free.fr
Tue Dec 6 11:56:08 CET 2005 

Dear list,

I did some tests yesterday evening but the problem remains (even after 
an "ip neigh flush all")...
On Checkpoint's side, there's a virtual IP mapped to the MAC address 
from the physical active node; so it's not using any virtual MAC address 
(however it does use a virtual MAC in load balancing mode).

As I'm still able to connect on both OpenSwan nodes through SSH it 
doesn't seem to be related to ARP entries on eth0 interfaces; that's why 
I suspect a kind of  "ARP cache" on ipsec0.
Anyway, the workaround for now is to force an OpenSwan failover when a 
Checkpoint failover is detected; but it would be nice to get it solved. 
I keep trying to get a solution.

Last, note that I had not this problem before upgrading to KILPS 
(OpenSwan 2.4.4 and kernel 2.4.32) and its ipsecX interfaces (before I 
was running OpenSwan with RHEL3's kernels using NETKEY)...

Regards,
Lionel


Trevor Benson wrote:

>>-----Original Message-----
>>From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
>>    
>>
>On
>  
>
>>Behalf Of Lionel Cottin
>>Sent: Friday, December 02, 2005 1:59 AM
>>To: users at openswan.org
>>Subject: [Openswan Users] ARP cache
>>
>>Dear OpenSwan gurus,
>>
>>I'm running OpenSwan (kernel 2.4.32 KLIPS + OpenSwan 2.4.4) HA
>>    
>>
>clusters
>  
>
>>using heartbeat. These clusters are connected "behind" Checkpoint HA
>>clusters and now here's my problem (i.e. the OpenSwan's default
>>    
>>
>gateway
>  
>
>>is the checkpoint cluster's IP):
>>    
>>
>
>Not familiar with Checkpoints HA portions, does the Checkpoints
>"cluster's IP" a virtual IP that is monitored by both checkpoints, and
>they have real IP's behind them?  In many cases the virtual IP will have
>a virtual MAC that will be handled by the active system, when failover
>occurs the standby emulates that same MAC address.  Does your system
>just emulate the active IP from the standby if it dies, but not use a
>virtual IP for them to share?
>
>  
>
>>When a Checkpoint node dies, Checkpoint failover occurs and the
>>    
>>
>passive
>  
>
>>node becomes active; that's fine.
>>On the OpenSwan side, the active node remains active but all IPSEC
>>connections are turned into "hold" state and IPSEC connectivity does
>>    
>>
>not
>  
>
>>recover unless I shut IPSEC down and restart it.
>>My feeling is that OpenSwan is still sending IPSEC frames using the
>>    
>>
>dead
>  
>
>>checkpoint node's MAC address. However it's still possible to connect
>>the OpenSwan node over SSH for example so it looks like there's some
>>"ARP caching" performed on the ipsec0 interface not being updated when
>>the default gateway's MAC address is replaced on the underlying
>>    
>>
>physical
>  
>
>>interface (eth0).
>>    
>>
>
>Not familiar with Checkpoints HA portions, does the Checkpoints
>"cluster's IP"
>
>
>  
>
>>Is that a known behaviour ? Should I had some additional failover
>>criteria in my heartbeat Cluster ? Is there a way to force OpenSwan
>>re-calculating the destination MAC address to use within IPSEC frames
>>    
>>
>?
>  
>
>>regards,
>>Lionel
>>_______________________________________________
>>Users mailing list
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>    
>>
>
>
>
>Thank you,
>Trevor Benson
>A1 Networks
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>
>
>  
>

More information about the Users mailing list