HA firewall with tinc

mlist mlist at apsystems.it
Wed Jan 27 08:31:28 CET 2016 

I think it should work at least for TUN virtual interface as TUn works at IP level.
This is a sample configuration.

                firewall1 lan    = 172.16.1.11/19     (ALWAYS ACTIVE) - "Physical Network Interface" - system config as ifcfg-...
                          172.16.1.10/19     (VIP Keepalived Make active) - Active/Passive configuration with firewall2
       firewall1 vpndr1 = 172.16.1.10/8      (ALWAYS ACTIVE) - "Virtual Network Interface" - tinc config as tinc-up started as service



       firewall2 lan    = 172.16.1.12/19     (ALWAYS ACTIVE) - "Physical Network Interface" - system config as ifcfg-...
                          172.16.1.10/19     (VIP Keepalived Make active) - Active/Passive configuration with firewall1
       firewall2 vpndr1 = 172.16.1.10/8      (ALWAYS ACTIVE) - "Virtual Network Interface" - tinc config as tinc-up started as service

I tested this config and seem to work fine. When failover happen from one node do other after some seconds remote tinc see connection reset by peer (previous active node - eg: firewall1) and re-connect with ne new active node (eg: firewall2). No network conflict was seen as now.

Can you tell me if I'm doing wrong assumptions ? if some not optimal behavior can be hidden ?

Thank you
Best Regards

Roberto



From: mlist
Sent: mercoledì 27 gennaio 2016 02.32
To: 'tinc a tinc-vpn.org' <tinc a tinc-vpn.org>
Subject: HA firewall with tinc

I have 2 firewall in HA with keepalived. Can I use active the same tinc configuration on 2 firewalls ? using tun Interface with same ip on all 2 nodes is a problem ? tun device advertise itself on the network having an IP/MAC pairs (ARP) or the IP is only used by the system internally for routing so using the same configuration is right ? so one firewall be active, the other is passive. With this configuration I can avoid starting/stopping tinc with keepalived active passive node. Keepalived is sometimes problematic with Virtual Machine backup (snapshot stun time), transitioning from Master to Slave and vice versa at stun time, so we can avoid probability that keepalived will starting up and shutting down tinc erroneously.

Thank you


Roberto




-------------- parte successiva --------------
Un allegato HTML ? stato rimosso...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20160127/a4c7ada5/attachment-0001.html>

More information about the tinc mailing list