Heinrich Rebehn schrieb: > Patrick Hemmen wrote: >> Ok. >> >> Before using carp/sasyncd the IPSEC tunnel had worked. >> The isakmpd daemon listen on all interfaces/ip addresses. >> >> I am illustrating my set up >> >> vpngw01: 10.10.10.101 >> carp: 10.10.10.1 <-- INTERNET --> remote gateway: 192.168.1.1 >> vpngw02: 10.10.10.102 >> > > Remove the IP addresses from the physical interfaces. The master will > then use 10.10.10.1 as source address. Use the "carpdev" clause in > ifconfig to specify the physical interface used for carp. > > Note however that the machine will no longer respond to broadcast packets. > > -- Heinrich >
>I fixed this problem by adding "local 10.10.10.1" before "peer >192.168.1.1" to the /etc/ipsec.conf file. I have to read the manual more >thoroughly ;). >I think the tunnel isn't available because of wrong lifetimes settings. >The remote gateway returns a "NO PROPOSAL CHOSEN" and all other settings >are correct. Now, I'm waiting for the lifetimes settings information of >the remote site. >Best regards. >Patrick Now the tunnel is up and running. The remote site used the wrong ip address for our vpn-gw in their config. I see this after they switch to active mode. That's also the reason for the "NO PROPOSAL CHOSEN" error that I saw. Thanks a lot. Patrick Hemmen I have a new email address.