Ok, I think synching 2 firewalls are best solution with keepalived
active/passive HA, too.
I'll try this solution to see if all goes straitforward between
failover/failback and tinc communications.
Thank you Guus.
Best regards
Roberto
-----Original Message-----
From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen
Sent: venerd? 22 gennaio 2016 10.24
To: tinc at tinc-vpn.org
Subject: Re: tinc with ha firewall
On Fri, Jan 22, 2016 at 09:12:03AM +0000, mlist wrote:
> Hi, I have HA firewalls configuration (keepalived) on one site. Each
firewall has its own IP and a Virtual IP (VIP) that keepalived activate on one
of the firewall (active/passive HA configuration).
> I think I can set all two firewalls with same configuration, generating key
pairs on one firewall and copying that to the second, so the remote host can see
always one of the other firewall as the same:
>
> Remote host see always:
>
> - Some IP (active firewall VIP)
> - Uses only one public key (private is the some on two firewalls)
> - We can rsync all /etc/tinc content on two firewalls
> - We can start/stop active/passive firewall with keepalived
failover script
>
> We do not tested this mechanism as now, we'll do that as soon as
possible.
> Can this configuration works ?
> Has tinc a specific HA scenario configuration or a bast practice ?
This will work, as long as only one of your firewalls runs tinc at any
time. So have keepalived start/stop tinc.
Another option is to give tinc on each firewall it's own Name and
public/private key, and have the remote host(s) ConnectTo both
firewalls. You can have the same Subnet on both firewalls, tinc will
then select one of them to send packets to (you can give the Subnets
weights to explicitly prioritize one firewall over the other), but if
that one goes down it will automatically switch to the other.
Since you already have keepalived I'd go with the former option.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>