[EMAIL PROTECTED] wrote:
Ok that setup is similar to what I have and I do have carp interfaces on
both sides of the firewall. I was able to configure sasynd but when
running netstat -rnf encap was not able to see any of the flows on the
slave machine, but then I realized or thought that it was because the
ISAKMPD session was not established on the slave machine.
I do not understand your terms here, ISAKMPD session ....
If your trying to establish the ISAKMPD session from the slave box which
does not have control of the active carp interface, how is the
ISAKMPD/IPSEC connection established? Doesn't it need to be established
for sasynd to know about the SA's? or upon failover does the session
then get established on the fly? Do you use isakmpd.conf or ipsec.conf
to control your flows?
I use isakmpd.conf, though it seems to be deprecated and so really
should be moving over to ipsec.conf.
I have a dedicated NIC on each machine with a x-over cable to carry the
sasync and pfsync traffic, you can use an ipsec tunnel for this though I
found it to fail occasionally.
Run isakmpd on both hosts with the listen addr being that of the carp
iface and you should see SPI's propagated from the active server to the
second.
off to lunch now, if this does not clear things up sufficiently you
should consider posting ifconfigs, sassync.conf isakmpd.conf and maybe
some dumps ...
maybe one of the smart people will help us then,.
Thanks.
On 5/2/07, *Dag Richards* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> wrote:
> I have a redundant firewall setup with carp interfaces on both
sides of the
> firewall. I have a mirror of this setup in a 2nd location. Now im
a little
> confused on how to set up the VPN. Do I use 1) the physical
interfaces
> between the peers or 2) do I use the carp interface as the peers
or 3)do I
> use both the physical and carp interfaces as the peers.
>
> When trying to setup sasyncd in this sort of enviornment I cant
get the
> slave firewall to establish an IKE session because of the ips of
the peers.
> Can anyone give me any insight into this?
>
What I have been doing is setting up the VPNs between the sites using
the carp addrs. sasync follows the state of the carp interface so you
should get
box a - - box y-
\ / \
carp 0 -------vpn----carp 0 carp1 --internal nets
/ \ /
box c - - box z-
a netstat -rnf encap run on a and c should look the same
and y and z should as well. Packets will only be forwarded down the
tunnel by the machine who is carp master of either end. You will
probably want to have internal carp ifaces as well, as seen on boxes y
and z.
