HighAvailability - strongSwan
https://wiki.strongswan.org/projects/1/wiki/HighAvailability
strongSwan ha Tests
https://www.strongswan.org/uml/testresults/ha/index.html
IpsecStandards - strongSwan
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStandards
Not Supported: RFC 6311: Protocol Support for High Availability of IKEv2/IPsec[strongSwan] Automated test ha/both-active fails
https://lists.strongswan.org/pipermail/users/2012-July/003299.html
> Our HA solution works different and is not based on RFC 6311. In fact, > we don't need any additional protocol support in IKEv2 between server > and client, all the synchronization is done between the cluster nodes > directly.
Cisco High Availability Solution: Stateful Failover for IPsec - Cisco
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white_paper_c11_472859.html
Stateful Failover for IP Security (IPsec) allows a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. A backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and requires neither adjustment nor reconfiguration of any remote peer.
Stateful IPsec VPN High-Availability Alternatives - IPSec Virtual Private Network Fundamentals
http://flylib.com/books/en/2.45.1.50/1/
Recall that in stateless IPsec failover, there is a reconvergence delay directly attributable to rebuilding IPsec SAs with the redundant router upon failover.RFC 6311 - Protocol Support for High Availability of IKEv2/IPsec
Stateful IPsec HA builds the appropriate entries in the redundant VPN gateway's SADB in advance and employs a mechanism to accurately maintain state parity between the active and standby VPN gateways, thereby effectively precluding the need for IPsec to renegotiate Phase 1 and Phase 2 SAs upon failover
https://tools.ietf.org/html/rfc6311
RFC 6027 - IPsec Cluster Problem Statement
https://tools.ietf.org/html/rfc6027
Proposed IPsec HA Cluster Protocol
http://www.ietf.org/proceedings/78/slides/ipsecme-3.pdf
沒有留言:
張貼留言