AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
 View Only

  • 1.  VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Wed June 04, 2008 06:23 AM

    Originally posted by: SystemAdmin


    If we have AIX node A and node B, they are running in HACMP clusters. And I have another server node C. The HACMP clusters need to establish server-to-server IPSEC VPN tunnel to node C.

    So actually when the active node of the clusters send traffic to node C, what IP address node C will see? Will it be the Virtual service IP or the boot IP of node A or node B?

    In addition, after failover, we want this IPSEC tunnel to be build up before other application runs, for example, Oracle, how this can be done on HACMP setup?

    Many thanks
    #AIX-Forum


  • 2.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Wed June 04, 2008 06:30 AM

    Originally posted by: tony.evans


    The answer is, it depends on your network configuration. How many NIC's do you have, what IP addresses do they have, how many IP addresses, are you using IP aliasing, what subnets are they on, and what subnet is Server C on.

    Bringing up the IPSEC stuff before Oracle - do you mean before the cluster is running, or only when the cluster is up but before oracle starts? If it's the latter, then you just need to modify the HACMP start/stop scripts to manage the IPSEC stuff. If you want the IPSEC stuff to work outside of HACMP then you just need to configure it normally as part of whatever you do on AIX and make sure it doesn't use any resources that HACMP controls.
    #AIX-Forum


  • 3.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Wed June 04, 2008 06:40 AM

    Originally posted by: SystemAdmin


    Hello Tony,

    We have only 2 NIC on each node, NIC 1 is on subnet A (boot IP), NIC 2 is on subnet B (standby IP), the presisent IP and virtual service IP are also subnet A. So we want the IPSEC stuff run within the HACMP.

    Bringing up the IPSEC before Oracle, we are the latter case, we would like the IPSEC is up when cluster is up or failover but before Oracle starts.

    Thanks
    #AIX-Forum


  • 4.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Wed June 04, 2008 07:04 AM

    Originally posted by: tony.evans


    Do you use IP Aliasing for IP Failover or IP Hardware Takeover?
    #AIX-Forum


  • 5.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Wed June 04, 2008 07:28 AM

    Originally posted by: SystemAdmin


    Thanks again Tony,

    Are you referring to the IP aliasing and IP address takeover?
    What will be the different on answer in both cases?

    Many thanks
    #AIX-Forum


  • 6.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Thu June 05, 2008 07:21 AM

    Originally posted by: tony.evans


    With IP Aliasing it gets harder to predict which IP address your source packet will originate from. With Hardware takeover it's much easier to predict.

    In short, your HACMP design, network design and configuration needs to be clearly understood in order to answer the questions you're posing.
    #AIX-Forum


  • 7.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Mon June 09, 2008 09:14 PM

    Originally posted by: SystemAdmin


    Hi Tony,

    I had confirmed with the engineer that the setup is using "IP replacement". Thanks
    #AIX-Forum


  • 8.  Re: VPN IPSEC Tunnel to external servers for a HACMP environment

    Posted Tue June 17, 2008 06:21 AM

    Originally posted by: KarlM


    you should be able to guarantee your source IP by adding an interface route e.g.

    route add -host <C> <service_address> -interface

    you can add this in your HA startup scripts or run it as HA event-driven.

    Be aware that there is a bug in HACMP v5, references are IY84675, IY83769 and IY84952, which causes the interface route to break on failover so make sure the fixes for the above are in place if you use this.

    HTH
    #AIX-Forum


Related Content