tinc with ha firewall

mlist mlist at apsystems.it
Fri Jan 22 10:32:30 CET 2016 

Ok, I think synching 2 firewalls are best solution with keepalived active/passive HA, too.
I'll try this solution to see if all goes straitforward between failover/failback and tinc communications.

Thank you Guus.
Best regards

Roberto



-----Original Message-----
From: tinc [mailto:tinc-bounces a tinc-vpn.org] On Behalf Of Guus Sliepen
Sent: venerdì 22 gennaio 2016 10.24
To: tinc a tinc-vpn.org
Subject: Re: tinc with ha firewall

On Fri, Jan 22, 2016 at 09:12:03AM +0000, mlist wrote:

> Hi, I have HA firewalls configuration (keepalived) on one site. Each firewall has its own IP and a Virtual IP (VIP) that keepalived activate on one of the firewall (active/passive HA configuration).
> I think I can set all two firewalls with same configuration, generating key pairs on one firewall and copying that to the second, so the remote host can see always one of the other firewall as the same:
> 
> Remote host see always:
> 
> -          Some IP (active firewall VIP)
> -          Uses only one public key (private is the some on two firewalls)
> -          We can rsync all /etc/tinc content on two firewalls
> -          We can start/stop active/passive firewall with keepalived failover script
> 
> We do not tested this mechanism as now, we'll do that as soon as possible.
> Can this configuration works ?
> Has tinc a specific HA scenario configuration or a bast practice ?

This will work, as long as only one of your firewalls runs tinc at any
time. So have keepalived start/stop tinc.

Another option is to give tinc on each firewall it's own Name and
public/private key, and have the remote host(s) ConnectTo both
firewalls. You can have the same Subnet on both firewalls, tinc will
then select one of them to send packets to (you can give the Subnets
weights to explicitly prioritize one firewall over the other), but if
that one goes down it will automatically switch to the other.

Since you already have keepalived I'd go with the former option.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus a tinc-vpn.org>

More information about the tinc mailing list