Am 20.06.2017 11:13 schrieb claudiu vasadi:
Now some question:
1) On fw2, I omit the ipsecctl command and start only isakmpd and
sasyncd.
If I check the SA's and flows, they will be synced from fw1 but is this
how
it should be or do I need to have ipsec.conf on fw2 as well and issue
the
"ipsecctl -f /etc/ipsec.conf" cmd when starting the IPSEC VPN?
You need to use ipsecctl on fw2, too. The -S will prevent active
negotiating
until CARP flips over.
2) Once the SA's and flows are in sync and I carpdemote fw1, I loose
the
IPSEC connection. When running isakmpd in debug mode, it looks like it
doesn't adhere to the SA's and flows "ipsecctl -sa" shows (a.k.a I need
to
copy the ipsec.conf to fw2 and ipsecctl -f ipsec.conf).
Without the use of ipsecctl, you've SA data, as you've seen, but no
routing
information (I think). Thus no more traffic passes (thinking: no route
with SA
-> packet dropped).
HTH,
--
pb