Hi,
I am testing a two nodes firewall HA configuration using uClibc 2.3.1
with "three interface" model. In leag.cfg I setup:
1 iptables and shorwall
2 kpalived (vrrp) configurared for all three interfaces:
- in eth0 for Internet next hop and NATed DMZ IP addresses
- in eth1 for DMZ default gateway
- in eth2 for LAN default gateway
3 ipsec for a VPN to remote office
Now the step 1 and 2 work correctly (after removing the shorewall
builtin drop multicast) but I have a problem to setup ipsec.
The ipsec log (/var/log/auth.log) says:
"we have no ipsecN interface for either end of this connection"
and this is correct because my ipsec.conf contains:
interfaces="ipsec0=eth0"
If I change it to:
interfaces="ipsec0=eth0:0"
the report is:
"ipsec_setup: unable to determine address of `eth0:0'"
For example a LAN router that MASTER the LAN VIP has real
IP address 192.168.100.189 and VIP address 192.168.100.254
# ip addr show eth2
7: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether fe:fd:c0:a8:64:bd brd ff:ff:ff:ff:ff:ff
inet 192.168.100.189/24 brd 192.168.100.255 scope global eth2
inet 192.168.100.254/24 scope global secondary eth2
How I can change the configuration to force ipsec to take the
alias/VIP address ?
Regards,
Sandro Doro
--
Sandro Doro
e-mail: sandro.doro AT istruzione.it
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
