Question: How to use StrongSwan Auto Restart?
Solution:
StrongSwan Auto Restart is a Linux utility that helps in restoring the connectivity to the Linux host when the Versa FlexVNF services are unstable. It configures the IPSec tunnel on the Linux through which you can SSH to the device from the Versa Director even if all the Versa FlexVNF services are down. This feature is supported by default and requires no extra configuration.
Follow these steps to understand how to use the StrongSwan auto restart feature:
- Bootstrap a branch with the staging server and then with the post-staging server.
- A snapshot and the configuration is created and saved in the /var/lib/vs/.vs_snap/<snapshot>/cfg folder.
- Run the vsmd kill command (4 times in 30*10 cycles = 5 minutes) to initiate the stop process. This releases the IP address to access the Linux utility and calls the StrongSwan script from the /etc/monit/conf.d/versa-mon-vcsn folder.
- The StromngSwan script collects the IPSec-related configuration from the versa-moin-vscn file and adds it to the ipsec.secrets and ipsec.cfg files and initiates an IPSec connection between the branch and the controller.
admin@Branch:~$ cat /etc/ipsec.secrets [email protected] [email protected] : PSK 1234 admin@Branch:~$ cat /etc/ipsec.conf config setup conn %default ikelifetime=72h keylife=3m rekeymargin=30s keyingtries=3 authby=secret keyexchange=ikev2 mobike=no closeaction=restart dpdaction=restart conn B1 left=nil [email protected] leftfirewall=yes right=182.75.39.202 [email protected] auto=add leftsourceip=%config rightsubnet=0.0.0.0/0
- The controller sends a branch maintenance notification to the Versa Director.
- SSH into the Linux box using the Versa Director GUI.
- Modify the /etc/monit/conf.d/versa-mon-vcsnscript in the Versa FlexVNF to test the feature.
- Change the last line of the script to execute 1 restart within 1 cycle as mentioned below:
/opt/versa/scripts/on_vsmd_stop.sh -d" # 4 times in 10*30 seconds
- Change the last line of the script to execute 1 restart within 1 cycle as mentioned below:
- Run the sudo killall versa-vsmd command to kill the vsmd process.
sudo killall versa-vsmd
- Run the vsh status command to check the status.
admin@Branch:~$ vsh status [sudo] password for admin: versa-vsmd is Stopped versa-infmgr is Stopped versa-rfd is Stopped versa-vmod is Stopped versa-ip2user is Stopped versa-imgr is Stopped versa-acctmgrd is Stopped versa-fltrmgr is Stopped versa-vstated is Stopped versa-spack is Stopped versa-addrmgrd is Stopped versa-rt-cli-xfm is Stopped versa-rtd is Stopped versa-dhcpd is Stopped versa-eventd is Stopped versa-vrrpd is Stopped versa-dnsd is Stopped versa-ppmd is Stopped versa-snmp-xform is Stopped versa-certd is Stopped versa-ntpd is Stopped versa-dhclient6 is Stopped versa-devmgr is Stopped versa-nodejs is Stopped versa-confd is Stopped versa-redis is Stopped versa-monit is Stopped
- Run the sudo ipsec statusall command to check the creation of the IPSec tunnel.
admin@Branch:~$ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-77-generic, x86_64): uptime: 42 minutes, since Aug 31 23:31:28 2017 malloc: sbrk 2703360, mmap 0, used 404256, free 2299104 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl gcrypt gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock Listening IP addresses: 10.128.0.107 10.128.0.127 Connections: B1: nil...182.75.39.202 IKEv2, dpddelay=30s B1: local: [[email protected]] uses pre-shared key authentication B1: remote: [[email protected]] uses pre-shared key authentication B1: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): B1[1]: ESTABLISHED 42 minutes ago, 10.128.0.127[[email protected]]...182.75.39.202[[email protected]] B1[1]: IKEv2 SPIs: 7a1f66feffb559c9_i* 6bb6858f59bb0002_r, pre-shared key reauthentication in 2 days B1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 B1{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c0378d83_i 020037ea_o B1{1}: AES_CBC_128/HMAC_SHA1_96, 224 bytes_i, 0 bytes_o, rekeying in 71 seconds B1{1}: 10.0.1.27/32 === 10.0.1.0/24 172.9.155.1/32 192.9.253.1/32
- Run the ifconfig command to check the status of the eth1 on Linux.
admin@Branch:~$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0b:ab:f2:b6:da inet addr:10.128.0.107 Bcast:10.128.255.255 Mask:255.255.0.0 inet6 addr: fe80::20b:abff:fef2:b6da/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3483 errors:0 dropped:0 overruns:0 frame:0 TX packets:93 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:352264 (352.2 KB) TX bytes:8801 (8.8 KB) Memory:dfc00000-dfcfffff eth1 Link encap:Ethernet HWaddr 00:0b:ab:f2:b6:db inet addr:10.128.0.127 Bcast:10.128.255.255 Mask:255.255.0.0 inet6 addr: fe80::20b:abff:fef2:b6db/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3701 errors:0 dropped:0 overruns:0 frame:0 TX packets:256 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:375857 (375.8 KB) TX bytes:30016 (30.0 KB) Memory:df900000-df9fffff lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1299620 errors:0 dropped:0 overruns:0 frame:0 TX packets:1299620 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:162458401 (162.4 MB) TX bytes:162458401 (162.4 MB)
