<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Black";
panose-1:2 11 10 4 2 1 2 2 2 4;}
@font-face
{font-family:"AvantGarde Bk BT";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 2.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="IT" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I think it should work at least for TUN virtual interface as TUn works at IP level.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">This is a sample configuration.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span>
<span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D">firewall1 lan = 172.16.1.11/19 (ALWAYS ACTIVE) - "Physical Network Interface" – system config as ifcfg-…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"> 172.16.1.10/19 (VIP Keepalived Make active) - Active/Passive configuration with firewall2<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"> firewall1 vpndr1 = 172.16.1.10/8 (ALWAYS ACTIVE) - "Virtual Network Interface" – tinc config as tinc-up started as service<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D">
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"> firewall2 lan = 172.16.1.12/19 (ALWAYS ACTIVE) - "Physical Network Interface" – system config as ifcfg-…<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"> 172.16.1.10/19 (VIP Keepalived Make active) - Active/Passive configuration with firewall1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"> firewall2 vpndr1 = 172.16.1.10/8 (ALWAYS ACTIVE) - "Virtual Network Interface" – tinc config as tinc-up started as service<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D">I tested this config and seem to work fine. When failover happen from one node do other after some seconds remote tinc see connection reset by peer (previous
active node – eg: firewall1) and re-connect with ne new active node (eg: firewall2). No network conflict was seen as now.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Can you tell me if I’m doing wrong assumptions ? if some not optimal behavior can be hidden ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thank you<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Best Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Courier New";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Arial Black",sans-serif;color:navy;mso-fareast-language:IT">Roberto</span></i><span style="color:#1F497D;mso-fareast-language:IT"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:IT"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:IT"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-fareast-language:IT">From:</span></b><span lang="EN-US" style="mso-fareast-language:IT"> mlist
<br>
<b>Sent:</b> mercoledì 27 gennaio 2016 02.32<br>
<b>To:</b> 'tinc@tinc-vpn.org' <tinc@tinc-vpn.org><br>
<b>Subject:</b> HA firewall with tinc<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">I have 2 firewall in HA with keepalived. Can I use active the same tinc configuration on 2 firewalls ? using tun Interface with same ip on all 2 nodes is a problem ? tun device advertise itself on the network having an
IP/MAC pairs (ARP) or the IP is only used by the system internally for routing so using the same configuration is right ? so one firewall be active, the other is passive. With this configuration I can avoid starting/stopping tinc with keepalived active passive
node. Keepalived is sometimes problematic with Virtual Machine backup (snapshot stun time), transitioning from Master to Slave and vice versa at stun time, so we can avoid probability that keepalived will starting up and shutting down tinc erroneously.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thank you<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Arial Black",sans-serif;color:navy;mso-fareast-language:IT">Roberto</span></i><span lang="EN-US" style="font-size:10.0pt;font-family:"AvantGarde Bk BT",serif;color:navy;mso-fareast-language:IT"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"AvantGarde Bk BT",serif;color:navy;mso-fareast-language:IT"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:IT"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:IT"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>