High-Availability VPN Cluster Deployment: Redundant Link Design with Keepalived and IPsec

4/28/2026 · 3 min

Introduction

In modern enterprise networks, VPNs are critical for connecting remote sites and mobile users. However, a single point of failure can disrupt the entire VPN service, leading to business losses. By deploying a high-availability VPN cluster using Keepalived for virtual IP (VIP) failover and IPsec for encrypted tunnels, you can significantly enhance network reliability and security.

Architecture Design

Components

  • Keepalived: Implements VRRP for VIP management and health checks. When the primary node fails, the backup node automatically takes over the VIP, ensuring service continuity.
  • IPsec: Provides data encryption and authentication, supporting IKEv1/IKEv2 protocols for site-to-site or remote access scenarios.
  • Cluster Nodes: At least two servers, configured as MASTER and BACKUP roles.

Network Topology

[Internet] <--> [VIP: 203.0.113.10] <--> [Node1 (MASTER): 10.0.0.1]
                                     <--> [Node2 (BACKUP): 10.0.0.2]

The VIP exposes the VPN service externally, while internal nodes communicate via private IPs. Keepalived monitors the IPsec process; upon primary failure, the VIP floats to the backup node.

Deployment Steps

1. Environment Preparation

  • OS: Ubuntu 22.04 LTS or CentOS 7+
  • Install packages: strongswan (IPsec) and keepalived
  • Ensure network connectivity between nodes, and open UDP ports 500, 4500 (IPsec) and VRRP multicast address (224.0.0.18)

2. Configure IPsec

Edit /etc/ipsec.conf with connection parameters, for example:

conn site-to-site
    left=10.0.0.1
    leftsubnet=192.168.1.0/24
    right=203.0.113.20
    rightsubnet=192.168.2.0/24
    auto=start

Note: Both nodes should use the same IPsec configuration, but left should point to their respective actual IPs.

3. Configure Keepalived

Primary node /etc/keepalived/keepalived.conf:

vrrp_script chk_ipsec {
    script "/usr/bin/pgrep -x charon"  # Check strongSwan process
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        203.0.113.10/24 dev eth0
    }
    track_script {
        chk_ipsec
    }
}

Backup node configuration is similar, with state BACKUP and priority 90.

4. Start Services

systemctl enable strongswan keepalived
systemctl start strongswan keepalived

Verify VIP binding: ip addr show eth0.

Failover Testing

  1. Stop IPsec on the primary node: systemctl stop strongswan
  2. Check Keepalived logs: tail -f /var/log/syslog – you should see VIP moving to the backup node.
  3. Attempt to connect to the VIP from a remote site and verify the VPN tunnel is established.

Optimization Tips

  • Enhanced Health Checks: Beyond process checks, implement scripts that test IPsec tunnel connectivity.
  • Session Synchronization: For stateful VPNs like IPsec, use connection sync mechanisms (e.g., strongSwan's charon-cmd) to avoid interrupting existing connections during failover.
  • Monitoring and Alerting: Integrate with Prometheus or Nagios to monitor VIP status and IPsec tunnel counts.

Conclusion

Combining Keepalived with IPsec provides a cost-effective high-availability VPN cluster. This solution is suitable for small to medium enterprises, effectively mitigating single-node failures and ensuring stable remote access.

Related reading

Related articles

Multi-Path Redundancy and Intelligent Failover: A Practical Guide to Building High-Availability VPN Architectures
This article explores how to build high-availability VPN architectures using multi-path redundancy and intelligent failover, covering core mechanisms such as link aggregation, fault detection, and automatic switching, with practical deployment advice to ensure stability and reliability in complex network environments.
Read more
A Comprehensive Guide to Enterprise VPN Deployment: From Architecture Design to Security Configuration
This article provides IT administrators with a comprehensive guide to enterprise VPN deployment, covering the entire process from initial planning and architecture design to technology selection, security configuration, and operational monitoring. We will delve into the key considerations for deploying both site-to-site and remote access VPNs, emphasizing critical security configuration strategies to help businesses build a secure, efficient, and reliable network access environment.
Read more
Common Pitfalls in VPN Deployment and How to Avoid Them: A Practical Guide Based on Real-World Cases
VPN deployment appears straightforward but is fraught with technical and management pitfalls. Drawing from multiple real-world enterprise cases, this article systematically outlines common issues across the entire lifecycle—from planning and selection to configuration and maintenance—and provides validated avoidance strategies and best practices to help organizations build secure, efficient, and stable remote access and network interconnection channels.
Read more
Migrating VPN Protocols to the Post-Quantum Era: From Classical Encryption to Quantum-Resistant Cryptography
This article explores the threat of quantum computing to traditional VPN encryption and provides a practical guide for migrating from classical algorithms to post-quantum cryptography (PQC), covering protocol selection, performance considerations, and deployment strategies.
Read more
Root Cause Analysis of Enterprise VPN Failures: Deep Dive into Common Protocol and Configuration Errors
This article provides an in-depth analysis of common root causes of enterprise VPN failures, focusing on two core areas: improper protocol selection and configuration errors. By examining the characteristics and pitfalls of mainstream protocols such as IPsec, SSL/TLS, and WireGuard, along with typical configuration mistakes in authentication, routing, and firewall settings, it offers IT teams a systematic troubleshooting guide and best practice recommendations.
Read more
Next-Generation VPN Technology Selection: An In-Depth Comparison of IPsec, WireGuard, and TLS-VPN
With the proliferation of remote work and cloud-native architectures, enterprises are demanding higher performance, security, and usability from VPNs. This article provides an in-depth comparative analysis of three mainstream technologies—IPsec, WireGuard, and TLS-VPN—across dimensions such as protocol architecture, encryption algorithms, performance, deployment complexity, and use cases, offering decision-making guidance for enterprise technology selection.
Read more

FAQ

How does Keepalived detect IPsec service health?
Keepalived uses vrrp_script to execute custom scripts, such as checking the strongSwan charon process with pgrep. If the script returns a non-zero value, Keepalived reduces the node's priority, triggering VIP failover.
Will existing IPsec connections be interrupted during failover?
By default, IPsec is stateful, so failover will interrupt existing connections because Security Associations (SAs) are stored in memory and not synchronized. It is recommended to use strongSwan's session synchronization (e.g., charon-cmd) or configure IKEv2 MOBIKE support to minimize disruption.
Can IPsec configurations be shared between primary and backup nodes?
Yes, but ensure the 'left' address points to each node's actual IP. It is advisable to use configuration management tools (e.g., Ansible) to sync config files and ensure consistent pre-shared keys or certificates.
Read more