Hello community,
I am brand new to FreeBSD and want to build a highly available IKEv2/IPSec VPN using the 'ha' plugin of StrongSwan.
From what I understand, this plugin handles the healthchecks between both instances and the replication and some control plane information (such as the client IP leases).
However, it relies on an external mechanism which handles the following:
- replying to unicast ARP requests (for a VIP) with a multicast MAC address so that both instances can receive all packets and maintain their IKEv2 and IPSec SAs simultaneously
- using a well-known hashing algorithm (e.g. outer tunnel source ip % number of instances == my instance id) to determine which instance will forward the packet (the other instances will discard the packet or use it just to maintain their SAs from time to time).
This mechanism is implemented on Linux using the CLUSTERIP modules - CLUSTERIP rules can be defined using iptables and are installed as a netfilter hook.
Is there, to your knowledge, a FreeBSD equivalent to this module ? Or at least a way to implement this behavior using existing components (e.g. a user-space daemon for crafting the ARP responses and a kernel-space way to implement the well-known hashing algorithm - maybe the right pf/ipfw/firewall rule can already do this ?)
If not, would there be interest among the community for such a kernel module ?
Thank you in advance, community
PS: I cannot implement HA using CARP or VRRP because the SAs cannot be maintaneid simultaneously, which means the failover is not transparent as the clients will have to reauthenticate
I am brand new to FreeBSD and want to build a highly available IKEv2/IPSec VPN using the 'ha' plugin of StrongSwan.
From what I understand, this plugin handles the healthchecks between both instances and the replication and some control plane information (such as the client IP leases).
However, it relies on an external mechanism which handles the following:
- replying to unicast ARP requests (for a VIP) with a multicast MAC address so that both instances can receive all packets and maintain their IKEv2 and IPSec SAs simultaneously
- using a well-known hashing algorithm (e.g. outer tunnel source ip % number of instances == my instance id) to determine which instance will forward the packet (the other instances will discard the packet or use it just to maintain their SAs from time to time).
This mechanism is implemented on Linux using the CLUSTERIP modules - CLUSTERIP rules can be defined using iptables and are installed as a netfilter hook.
Is there, to your knowledge, a FreeBSD equivalent to this module ? Or at least a way to implement this behavior using existing components (e.g. a user-space daemon for crafting the ARP responses and a kernel-space way to implement the well-known hashing algorithm - maybe the right pf/ipfw/firewall rule can already do this ?)
If not, would there be interest among the community for such a kernel module ?
Thank you in advance, community
PS: I cannot implement HA using CARP or VRRP because the SAs cannot be maintaneid simultaneously, which means the failover is not transparent as the clients will have to reauthenticate