Hi everyone, We're trying to set up a high availability layer 2 VPN using OpenBSD firewalls.
With just 1 firewall at each end, everything works just fine, as described in the brconfig manual page (except that we haven't gone as far as the IPSEC bit yet, trying to get it working in general first.) Ideally, we need a pair of HA firewalls at each side though. Initially we thought we could do this by establishing a gif tunnel on both boxes, to it's mate at the other side, between the addresses on the CARP interfaces. So it would seem like 2 tunnels were up at all times from ifconfig, but no traffic would ever be sent between the backup firewalls, as they wouldn't actually have the CARP addresses to do this. It doesn't seem to work though, we get really weird ARP behaviour which I can't explain. End nodes behind each firewall, would sometimes learn the MAC of the box at the remote site, but not consistently, and in fact it seemed like 1 side would always have a valid ARP entry, and the other wouldn't, but then they would switch. We're going to keep digging and try and come up with an accurate set of results of what is going on, but if there's anyone out there who knows that this definitely wont work, or perhaps it will but there's a gotcha we need to be aware of, then it would be nice to hear from you. Regards, Dunc -- Duncan Lockwood Network Administrator The Bunker Secure Hosting Limited Ash Radar Station Marshborough Road Sandwich Kent CT13 0PL UNITED KINGDOM t: 01304 814 800 f: 01304 814 899 e: [EMAIL PROTECTED] w: www.thebunker.net PGP on Key Servers
