Usage¶

You can manage HA VRRP devices under Linux.

To synchronize Linux and the fast path, start the cache manager and the fast path manager:
```
# fpmd
# cmgrd
```
Start keepalived with appropriate options:
```
# keepalived [options]
```
Note

Available options are displayed with the command: keepalived -h

Example: implementing one virtual router with two VRRP routers¶

Here is a very simple example that implements Sample Configuration 1, provided in RFC 3768 section 4.1, with a VRRP router with MAC address 00:00:5e:00:01:33 and IP address 10.22.0.1.

Network architecture

In the architecture below, Rtr1 is the master VRRP router, and Rtr2 is the backup VRRP router.

../../../_images/aafig-7bc8c9061a26073fd245a331662ae6982e7b460e.svg

Launching `keepalived` on the master router¶

Perform the steps below on the master router.

Create the Rtr1.conf keepalived configuration file with the following content:

global_defs {
 router_id DEMO_VRRP_ROUTER
 dynamic_interfaces # to be notified of interface changes
 # wait for 30s at startup before starting election to avoid bug
 # with some interfaces (LACP for instance) on which Rx is off and
 # Tx is on at startup.
 # It avoids sending master state from the starting router because it does
 # not receive any VRRP master from other member
 vrrp_startup_delay 30
 disable_local_igmp
}
vrrp_instance VI_1 {
 state BACKUP           # start as backup
 interface eth1                   # ethernet link where hosts and VRRP routers are connected
 use_vmac                         # to use macvlan
 virtual_router_id 51             # to use the 00:00:5e:00:01:{virtual_router_id} mac address (33 hexadecimal = 51 decimal)
 priority 200                     # priority of the router
 advert_int 1                     # VRRP advertisement interval
 virtual_ipaddress {
  10.22.0.1/24                    # VRRP ip address
 }
}

Launching `keepalived` on the backup router¶

Perform the steps below on the backup router.

Create the Rtr2.conf keepalived configuration file with the following content:

global_defs {
 router_id DEMO_VRRP_ROUTER
 dynamic_interfaces # to be notified of interface changes
 vrrp_startup_delay 30
 disable_local_igmp
}
vrrp_instance VI_1 {
 state BACKUP
 interface eth1
 use_vmac
 virtual_router_id 51
 priority 100                     # Set to 200 in *Rtr1.conf*
 advert_int 1
 virtual_ipaddress {
  10.22.0.1/24
 }
}

Launch the keepalived daemon for VRRP with the Rtr2.conf configuration file:
```
# keepalived -f /path/to/Rtr2.conf
```

Configuring the two routers¶

Perform the steps below on each of the two routers.

Check that the VRRP interface exists:

# fp-cli iface
...
849:vrrp.51 [VR-0] ifuid=0x5153311a (virtual) <UP|RUNNING|FWD4|FWD6> (0x63)
        type=macvlan mac=00:00:5e:00:01:33 mtu=1500 tcp4mss=0 tcp6mss=0
        IPv4 routes=0  IPv6 routes=0
        mode private, link eth1
...

Allow IP forwarding:
```
# sysctl -w net.ipv4.ip_forward=1
```
Disable reverse path filtering on interfaces to which the VRRP routers are linked:
```
# sysctl -w net.ipv4.conf.eth1.rp_filter=0
```
Disable iptables rules that block multicast traffic:

To clear all iptables rules:
```
# iptables -F
```
Enable arp_ignore on interfaces to which the VRRP routers are linked:
```
# sysctl -w net.ipv4.conf.eth1.arp_ignore=1
```
Otherwise, the linked interface answers ARP requests related to the VRRP MAC address.
If you do not receive Netlink notifications from the lower interface to which the VRRP routers are linked, set this interface in promiscuous mode:
```
# ip link set eth1 promisc on
```

Check that interface eth1 has the flag PROMISC:

# fp-cli iface
...
96:eth1 [VR-0] ifuid=0x6008c1d2 (port 1) <UP|RUNNING|PROMISC|FWD4|FWD6> (0x73)
        type=ether mac=00:02:02:00:00:21 mtu=1500 tcp4mss=0 tcp6mss=0
        IPv4 routes=0  IPv6 routes=0
...

HA VRRP is now properly configured. The master VRRP router Rtr1, and the backup VRRP router Rtr2 now implement one virtual router on a simple network, as specified in RFC 3768, section 4.1.

Using VRRP with IKE/IPsec HA or/and Firewall/NAT HA¶

In order to make IKE/IPsec HA or/and Firewall/NAT HA synchronization work properly:

dataplane and some control-plane trafic must be only processed on the master router.
IKE/IPsec HA needs to know what is the state of VRRP.

This section describes how to set up a keepalived script to do so.

Create a keepalived notify script /etc/keepalived/notify.sh:

cat>/etc/keepalived/notify.sh <<\EOF
#!/bin/sh

FILE=/run/ha-groups/ikeha
STATE="$3"

mkdir -p $(dirname "$FILE")
case "$STATE" in
   "MASTER")
      echo "master" > "$FILE"
      iptables-save -t filter | grep -v __internal__:keepalived | iptables-restore -T filter
      ip6tables-save -t filter | grep -v __internal__:keepalived | ip6tables-restore -T filter
      ;;
   *)
      iptables -I INPUT -p esp -m comment --comment "__internal__:keepalived" -j DROP
      iptables -I INPUT -p ah -m comment --comment "__internal__:keepalived" -j DROP
      iptables -I INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "__internal__:keepalived" -j DROP
      iptables -I FORWARD -m comment --comment "__internal__:keepalived" -j DROP
      ip6tables -I INPUT -p esp -m comment --comment "__internal__:keepalived" -j DROP
      ip6tables -I INPUT -m ah -m comment --comment "__internal__:keepalived" -j DROP
      ip6tables -I INPUT -p udp -m multiport --dports 500,4500 -m comment --comment "__internal__:keepalived" -j DROP
      ip6tables -I FORWARD -m comment --comment "__internal__:keepalived" -j DROP
      echo "backup" > "$FILE"
      ;;
esac
EOF

Give the root execution permission to the script:

# chown root:root /etc/keepalived/notify.sh
# chmod u+x /etc/keepalived/notify.sh

Create an unique VRRP group on both routers that contains all the VRRP instances:

vrrp_sync_group mygroup {
  group {
    VI_1
    VI_2
  }
  notify /etc/keepalived/notify.sh
}

Add the activity file to /etc/ike/strongswan.d/charon/ha.conf inside ha {} if necessary:
```
activity_file = /run/ha-groups/ikeha
```