Hi everibody, I look for a HA solution. Did some of you manage to configure such a solution ? I see this webpage but through the mailing archive, it seems there are other solutions (not described in mailing-list). Thanks in advance for your support. ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Hi,> I look for a HA solution. > Did some of you manage to configure such a solution ?Yes, with heartbeat. If one node goes down, the other takes over. It is pretty straight. Best, Julian ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Julian: Today I am starting to install Shorewall & HA solution, same what you are doing. Can you share your design, how you have setup two Shorewall Servers, how you have named them, etc. You can always send me the info directly; kbajwa@tibonline.net Thanks. Kirti Bajwa -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Julian Hein Sent: Wednesday, May 31, 2006 5:58 AM To: shorewall-users@lists.sourceforge.net Subject: RE: [Shorewall-users] High Availability (HA) Hi,> I look for a HA solution. > Did some of you manage to configure such a solution ?Yes, with heartbeat. If one node goes down, the other takes over. It is pretty straight. Best, Julian ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Heartbeat can only be a part of the whole design. Heartbeat can do IP address failover, but cannot do iptables/netfilter status replication between hosts: if the master breaks, the second node will accept traffic on the same IP after heartbeat system has "failed-over" the IP address, but every existing connection established on the master will fail on the secondary node because every packet will be considered NEW and every existing NATed connection will break. Heartbeat does not and cannot maintain the netfilter kernel tables syncronized. Heartbeat is good for service failover but leave to each service the duty of providing status and data replication. If the service is netfilter/iptables firewall, the solution for status replication can be ct_sync, but is a not yet mature project and involve kernel patching and rebuild. You can refer to: http://svn.netfilter.org/netfilter/branches/netfilter-ha/linux-2.6/README for more info about it. And... if you will be successful with it please: share your experience!! :-) Bye ----------------------------------------------------- Paolo Basenghi - Sistemi Informativi Az. Speciale Farmacie Comunali Riunite Via Doberdò, 9 - 42100 Reggio Emilia Tel. +39(0522)543312 - Fax +39(0522)550146 paolo.basenghi@fcr.re.it; www.fcr.re.it; www.saninforma.it; www.futurfarma.it ----------------------------------------------------- Julian Hein ha scritto:> Hi, > > >> I look for a HA solution. >> Did some of you manage to configure such a solution ? >> > > Yes, with heartbeat. If one node goes down, the other takes over. It is > pretty straight. > > Best, > Julian > > > ------------------------------------------------------- > All the advantages of Linux Managed Hosting--Without the Cost and Risk! > Fully trained technicians. The highest number of Red Hat certifications in > the hosting industry. Fanatical Support. Click to learn more > http://sel.as-us.falkag.net/sel?cmd=k&kid7521&bid$8729&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >
Paolo Basenghi wrote:> > If the service is netfilter/iptables firewall, the solution for status > replication can be ct_sync, but is a not yet mature project and involve > kernel patching and rebuild. > You can refer to: > http://svn.netfilter.org/netfilter/branches/netfilter-ha/linux-2.6/README > for more info about it. >It is my understanding that work on ct_sync has pretty much stopped and the code in SVN is against 2.6.10 or thereabouts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
John Serink
2006-Jun-01 17:42 UTC
Openswan 2.2.0 using the the 2.6 Netkey stack(not KLIPS)
Hi All: Here is what I am running: rx1000test:~# uname -a Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15 15:33:23 UTC 2006 i586 GNU/Linux rx1000test:~# shorewall version 2.2.3 rx1000test:~# ipsec version Linux Openswan U2.2.0/K2.6.8-16-486-rx (native) Ok, I''ve been through the docs for shorewall 2.2.3 and they have a section on setting up for IPSec but its using the racoon user space tools, not Openswan. The section on Openswan assumes the use of the KLIPS stack rather than the 2.6 kernel''s NETKEY stack or internal stack. Does anyone know how to setup shorewall for a VPN using Openswan and the Netkey stack in kernal 2.6? Cheers, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
On Thu, 2006-06-01 at 09:31 -0700, Tom Eastep wrote:> > It is my understanding that work on ct_sync has pretty much stopped and the code > in SVN is against 2.6.10 or thereabouts.That is true, it seems the project is dead. But with the netfilter/nflink library it is possible to do session/conntrack syncs via userspace. There is at least one project that does this called conntrackd (http://people.netfilter.org/pablo/conntrackd/) which might fill this gap once it is ready for real usage...> -Tom--arne -- Arne Bernin <arne@alamut.de> http://www.ucBering.de ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
<info@kws-netzwerke.de>
2006-Jun-01 18:46 UTC
AW: Openswan 2.2.0 using the the 2.6 Netkey stack(not KLIPS)
With this links you should find some hints configuring FREESWAN/OPENSWAN http://www.shorewall.net/VPNBasics.html http://www.shorewall.net/IPSEC.html http://www.shorewall.net/IPSEC-2.6.html I´ve running many tunnels with this and the docu gives answer to all the questions you should have and more... -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von John Serink Gesendet: Donnerstag, 1. Juni 2006 19:42 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Openswan 2.2.0 using the the 2.6 Netkey stack(not KLIPS) Hi All: Here is what I am running: rx1000test:~# uname -a Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15 15:33:23 UTC 2006 i586 GNU/Linux rx1000test:~# shorewall version 2.2.3 rx1000test:~# ipsec version Linux Openswan U2.2.0/K2.6.8-16-486-rx (native) Ok, I''ve been through the docs for shorewall 2.2.3 and they have a section on setting up for IPSec but its using the racoon user space tools, not Openswan. The section on Openswan assumes the use of the KLIPS stack rather than the 2.6 kernel''s NETKEY stack or internal stack. Does anyone know how to setup shorewall for a VPN using Openswan and the Netkey stack in kernal 2.6? Cheers, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642