Skip to content

Commit d5a9de1

Browse files
swhite2swhite2
committed
IPsec: add CARP considerations
1 parent f5b3dc8 commit d5a9de1

File tree

1 file changed

+20
-3
lines changed

1 file changed

+20
-3
lines changed

source/manual/vpnet.rst

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -192,8 +192,7 @@ be allowed explicitly, the :menuselection:`Firewall --> Rules --> IPsec` menu it
192192
Dead Peer Detection (DPD)
193193
.................................
194194

195-
Dead Peer Detection (DPD) is a method of detecting a dead IKE peer by sending periodic R-U-THERE messages to the remote expecting R-U-THERE-ACK
196-
messages in return as specified by `RFC 3706 <https://www.ietf.org/rfc/rfc3706.txt>`__.
195+
Dead Peer Detection (DPD) is a method of detecting a dead IKE peer as specified by `RFC 3706 <https://www.ietf.org/rfc/rfc3706.txt>`__.
197196

198197
When a peer is assumed dead, an action may be specified, such as closing the CHILD_SA or re-negotiate the CHILD_SA under a fresh IKE_SA.
199198

@@ -209,7 +208,7 @@ This setting has no effect on how IKEv2 handles retransmissions, in which case t
209208

210209
By default for IKEv2 the timeout on connections triggering a dpd action takes at least a couple of minutes, when quicker interaction
211210
is needed the :code:`charon` retransmit timings should be changed which applies to all tunnels. These settings can
212-
be changed via the Advanced settings or when not yet supported on your version, a custom strongswan configuration.
211+
be changed via the Advanced settings and thus applies to all, or when not yet supported on your version, a custom strongswan configuration.
213212

214213

215214

@@ -350,6 +349,24 @@ The following client setup examples are available in our documentation:
350349
Using Network Address Translation in policy based tunnels is different, due to the fact that the installed IPsec policy
351350
should accept the traffic in order to encapsulate it. The `IPSec BINAT` document will explain how to apply translations.
352351

352+
.................................
353+
CARP considerations
354+
.................................
355+
356+
When using IPsec in a high availability setup, it is important to understand the implications of the setup. Without assuming
357+
what the remote gateway looks like (which may be a single device or a high availability setup as well), the following
358+
considerations should be taken into account:
359+
360+
- For IKEv2, MOBIKE should be disabled. Due to the nature of CARP, a virtual IP in backup state will "disappear", which will trigger
361+
MOBIKE to try to re-establish the connection from a different available IP, thus overriding your "Local address" configuration.
362+
In a lot of cases this will be the primary IP of the WAN interface.
363+
- In all cases (initiator, responder or both) the "Local Address" must be set to a CARP virtual IP.
364+
- DPD must at least be configured on the peer to detect a non-responsive peer and reauthenticate the connection. DPD is usually the
365+
limiting factor in failover response time and is therefore the primary functionality to adjust to allow for faster failover.
366+
See the DPD section for more information and constraints.
367+
- IPsec connections never failover seamlessly between primary and backup and always need a fresh IKE_SA. If quicker failover is
368+
required, dynamic routing with route-based tunnels is likely a better solution.
369+
353370
.................................
354371
Tuning considerations
355372
.................................

0 commit comments

Comments
 (0)