tinc with ha firewall
Guus Sliepen
guus at tinc-vpn.org
Fri Jan 22 10:23:50 CET 2016
On Fri, Jan 22, 2016 at 09:12:03AM +0000, mlist wrote:
> Hi, I have HA firewalls configuration (keepalived) on one site. Each firewall has its own IP and a Virtual IP (VIP) that keepalived activate on one of the firewall (active/passive HA configuration).
> I think I can set all two firewalls with same configuration, generating key pairs on one firewall and copying that to the second, so the remote host can see always one of the other firewall as the same:
>
> Remote host see always:
>
> - Some IP (active firewall VIP)
> - Uses only one public key (private is the some on two firewalls)
> - We can rsync all /etc/tinc content on two firewalls
> - We can start/stop active/passive firewall with keepalived failover script
>
> We do not tested this mechanism as now, we'll do that as soon as possible.
> Can this configuration works ?
> Has tinc a specific HA scenario configuration or a bast practice ?
This will work, as long as only one of your firewalls runs tinc at any
time. So have keepalived start/stop tinc.
Another option is to give tinc on each firewall it's own Name and
public/private key, and have the remote host(s) ConnectTo both
firewalls. You can have the same Subnet on both firewalls, tinc will
then select one of them to send packets to (you can give the Subnets
weights to explicitly prioritize one firewall over the other), but if
that one goes down it will automatically switch to the other.
Since you already have keepalived I'd go with the former option.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160122/2482556c/attachment.sig>
More information about the tinc
mailing list