On 11/7/2012 12:33 PM, [email protected] wrote: > The problem is that on the edge boxes I can > only get to the primary, the slave is inaccessible.
In this case, it's likely that your slave box has a route or IPsec phase 2 defined that covers your client subnet, so the slave thinks it knows the way back to the client directly and the traffic dies because it really doesn't. Easiest way around it is manual outbound NAT on the LAN interface to make traffic going to the secondary appear to originate from the primary's LAN IP (on LAN, source = VPN subnet, destination = secondary's IP, translated to Interface address -- NOT the CARP VIP) If it's OpenVPN, on 2.0.2 and 2.1, binding the VPN to the CARP VIP will make the server process stop on the backup unit, so the route wouldn't be maintained in this case, so it should work fine there, so long as the VPN is bound to a CARP VIP. When the VIP transitions to master it starts the VPN processes. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
