I mean Phase 1 of the IPSEC connection by ISAKMPD session. Hmm sounds like I'm on the right track but I definately missing something. Maybe I had some misconfigurations somewhere. I'll have to try again and see how it goes. If I still have problems I will post the configs.Thanks for the help.
On 5/3/07, Dag Richards <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] wrote: > > Ok that setup is similar to what I have and I do have carp interfaces on > > both sides of the firewall. I was able to configure sasynd but when > > running netstat -rnf encap was not able to see any of the flows on the > > slave machine, but then I realized or thought that it was because the > > ISAKMPD session was not established on the slave machine. > > I do not understand your terms here, ISAKMPD session .... > > > > > If your trying to establish the ISAKMPD session from the slave box which > > does not have control of the active carp interface, how is the > > ISAKMPD/IPSEC connection established? Doesn't it need to be established > > for sasynd to know about the SA's? or upon failover does the session > > then get established on the fly? Do you use isakmpd.conf or ipsec.conf > > to control your flows? > > I use isakmpd.conf, though it seems to be deprecated and so really > should be moving over to ipsec.conf. > > I have a dedicated NIC on each machine with a x-over cable to carry the > sasync and pfsync traffic, you can use an ipsec tunnel for this though I > found it to fail occasionally. > > Run isakmpd on both hosts with the listen addr being that of the carp > iface and you should see SPI's propagated from the active server to the > second. > > > off to lunch now, if this does not clear things up sufficiently you > should consider posting ifconfigs, sassync.conf isakmpd.conf and maybe > some dumps ... > > > > maybe one of the smart people will help us then,. > > > > > Thanks. > > > > On 5/2/07, *Dag Richards* <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> wrote: > > > I have a redundant firewall setup with carp interfaces on both > > sides of the > > > firewall. I have a mirror of this setup in a 2nd location. Now im > > a little > > > confused on how to set up the VPN. Do I use 1) the physical > > interfaces > > > between the peers or 2) do I use the carp interface as the peers > > or 3)do I > > > use both the physical and carp interfaces as the peers. > > > > > > When trying to setup sasyncd in this sort of enviornment I cant > > get the > > > slave firewall to establish an IKE session because of the ips of > > the peers. > > > Can anyone give me any insight into this? > > > > > > > What I have been doing is setting up the VPNs between the sites > using > > the carp addrs. sasync follows the state of the carp interface so > you > > should get > > > > > > > > box a - - box y- > > \ / \ > > carp 0 -------vpn----carp 0 carp1 --internal > nets > > / \ / > > box c - - box z- > > > > a netstat -rnf encap run on a and c should look the same > > and y and z should as well. Packets will only be forwarded down the > > tunnel by the machine who is carp master of either end. You will > > probably want to have internal carp ifaces as well, as seen on boxes > y > > and z.
