We have two routers:
- Router-002 = BACKUP
- Router-003 = MASTER
--> They share the same IP address (VIP)
Normally :
Only the MASTER should speak ✔
The BACKUP should remain silent ❌
But with CARP + OSPF:
💥 BOTH speak at the same time
OSPF is a dynamic routing protocol that allows routers to exchange routing information and automatically determine the best path for network traffic. It works by regularly sending Hello packets between routers to maintain neighbor relationships and keep an up-to-date view of the network topology.
In a high-availability setup with two routers sharing the same VIP, OSPF can cause issues because both routers may send Hello packets and routing updates at the same time using that same IP address. As a result, neighbors receive messages that appear to come from a single router, while they are actually coming from two different ones. This creates confusion in the OSPF neighbor relationship, leading to constant resets, unstable routing tables, and unreliable network connectivity.
IPsec help us without knowing solve this problem (done in T2268) :
- IPsec enforces a single secure association per VIP, preventing the BACKUP node from establishing a concurrent tunnel and thus avoiding conflicts.
- So IPsec must be configured on both nodes with required policies, ensuring that only the MASTER node can establish the GRE tunnel while the BACKUP is prevented from sending traffic because the MASTER has already established the secure association, preventing the BACKUP node from creating a second connection and sending traffic.
And for the failover ??
When the VIP moves, the source of the IPsec connection changes, making the previous Security Association invalid and forcing a new one to be established.
references :