Usage

You can manage HA VRRP devices under Linux.

  1. To synchronize Linux and the fast path, start the cache manager and the fast path manager:

    # fpmd
# cmgrd

  2. Start keepalived with appropriate options:

    # keepalived [options]

    Note

    Available options are displayed with the command: keepalived -h

Example: implementing one virtual router with two VRRP routers

Here is a very simple example that implements Sample Configuration 1, provided in RFC 3768 section 4.1, with a VRRP router with MAC address 00:00:5e:00:01:33 and IP address 10.22.0.1.

Network architecture

In the architecture below, Rtr1 is the master VRRP router, and Rtr2 is the backup VRRP router.

../../../_images/aafig-7bc8c9061a26073fd245a331662ae6982e7b460e.svg

Launching keepalived on the master router

Perform the steps below on the master router.

  1. Create the Rtr1.conf keepalived configuration file with the following content:

    global_defs {
 router_id DEMO_VRRP_ROUTER
 dynamic_interfaces # to be notified of interface changes
 # wait for 30s at startup before starting election to avoid bug
 # with some interfaces (LACP for instance) on which Rx is off and
 # Tx is on at startup.
 # It avoids sending master state from the starting router because it does
 # not receive any VRRP master from other member
 vrrp_startup_delay 30
 disable_local_igmp
}
vrrp_instance VI_1 {
 state BACKUP           # start as backup
 interface eth1                   # ethernet link where hosts and VRRP routers are connected
 use_vmac                         # to use macvlan
 virtual_router_id 51             # to use the 00:00:5e:00:01:{virtual_router_id} mac address (33 hexadecimal = 51 decimal)
 priority 200                     # priority of the router
 advert_int 1                     # VRRP advertisement interval
 virtual_ipaddress {
  10.22.0.1/24                    # VRRP ip address
 }
}

    See also

    For more information, see keepalived.conf SYNOPSIS and keepalived.conf samples.

  2. Launch the keepalived daemon for VRRP with the Rtr1.conf configuration file:

    # keepalived -f /path/to/Rtr1.conf

    Note

    If you do not specify a custom configuration file, keepalived tries to read the default configuration file /etc/keepalived/keepalived.conf.

Launching keepalived on the backup router

Perform the steps below on the backup router.

  1. Create the Rtr2.conf keepalived configuration file with the following content:

    global_defs {
 router_id DEMO_VRRP_ROUTER
 dynamic_interfaces # to be notified of interface changes
 vrrp_startup_delay 30
 disable_local_igmp
}
vrrp_instance VI_1 {
 state BACKUP
 interface eth1
 use_vmac
 virtual_router_id 51
 priority 100                     # Set to 200 in *Rtr1.conf*
 advert_int 1
 virtual_ipaddress {
  10.22.0.1/24
 }
}

  2. Launch the keepalived daemon for VRRP with the Rtr2.conf configuration file:

    # keepalived -f /path/to/Rtr2.conf

Configuring the two routers

Perform the steps below on each of the two routers.

  1. Check that the VRRP interface exists:

    # fp-cli iface
...
849:vrrp.51 [VR-0] ifuid=0x5153311a (virtual) <UP|RUNNING|FWD4|FWD6> (0x63)
        type=macvlan mac=00:00:5e:00:01:33 mtu=1500 tcp4mss=0 tcp6mss=0
        IPv4 routes=0  IPv6 routes=0
        mode private, link eth1
...

  2. Allow IP forwarding:

    # sysctl -w net.ipv4.ip_forward=1

  3. Disable iptables rules that block multicast traffic:

    To clear all iptables rules:

    # iptables -F

  4. The following paramaters are set automatically by the keepalived daemon. Do not modify them:

    net.ipv4.conf.eth1.arp_ignore = 1
net.ipv4.conf.eth1.arp_filter = 1
net.ipv4.conf.vrrp/51.accept_local = 0
net.ipv4.conf.vrrp/51.arp_ignore = 1
net.ipv4.conf.vrrp/51.rp_filter = 0
net.ipv4.conf.vrrp/51.promote_secondaries = 1

  5. If the VRRP interface is not able to receive traffic when the virtual IP address is set on it, consider setting the link interface in promiscuous mode:

    # ip link set eth1 promisc on

  6. Check that interface eth1 has the flag PROMISC:

    # fp-cli iface
...
96:eth1 [VR-0] ifuid=0x6008c1d2 (port 1) <UP|RUNNING|PROMISC|FWD4|FWD6> (0x73)
        type=ether mac=00:02:02:00:00:21 mtu=1500 tcp4mss=0 tcp6mss=0
        IPv4 routes=0  IPv6 routes=0
...

HA VRRP is now properly configured. The master VRRP router Rtr1, and the backup VRRP router Rtr2 now implement one virtual router on a simple network, as specified in RFC 3768, section 4.1.

See also

For more information about sysctl ip settings, see its documentation:

Using VRRP with IKE/IPsec HA or/and Firewall/NAT HA

In order to make IKE/IPsec HA or/and Firewall/NAT HA synchronization work properly:

  • dataplane and some control-plane trafic must be only processed on the master router.

  • IKE/IPsec HA needs to know what is the state of VRRP.

This section describes how to set up a keepalived script to do so.

  1. Copy the sample HA scripts and set the appropriate permissions:

    # cp -p /etc/keepalived/samples/ha-notify.sh /etc/keepalived/notify.sh
# chown root:root /etc/keepalived/notify.sh
# chmod u+x /etc/keepalived/notify.sh
# cp -p /etc/keepalived/samples/ha-notify-fifo.sh /etc/keepalived/notify-fifo.sh
# chown root:root /etc/keepalived/notify-fifo.sh
# chmod u+x /etc/keepalived/notify-fifo.sh

  2. In keepalived.conf, create an unique VRRP group on both routers that contains all the VRRP instances:

    vrrp_sync_group mygroup {
  group {
    VI_1
    VI_2
  }
}

  3. Set in the global_defs section of keepalived.conf:

    vrrp_notify_fifo /tmp/keepalived.fifo
vrrp_notify_fifo_script /etc/keepalived/notify-fifo.sh
fifo_write_vrrp_states_on_reload

  4. Add the activity file to /etc/ike/strongswan.d/charon/ha.conf inside ha {} if necessary:

    activity_file = /run/ha-groups/ikeha

  5. Edit the variables ACTIVITY_FILE and INSTANCE_NAME of the script /etc/keepalived/notify-fifo.sh to match the activity_file and vrrp_sync_group:

    INSTANCE_NAME=mygroup
ACTIVITY_FILE=/run/ha-groups/ikeha