VPN Failover

Thu, 10 Jul 2008 06:48:52 -0700 

Hello List,

I'm having some issues with IPSec VPN tunnels.

Here is what I'm trying to do:


         I have a VPN 'server' with 2 internet connections (IP1, IP2)

         I have several remote locations which connect to the VPN server.
When IP1 goes down on the VPN server I want the remote locations to negotiate the tunnel with IP2
What is the best way to accomplish this? I have tried a couple of different things, none successful. 


My ipsec.conf on the server looks like this:
                           /#Remote Location 1/
/ ike passive esp from 10.110.39.0/24 to 10.115.10.0 peer <REMOTELOCATION1> main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk "psk" 

                           #Remote Location 2
/ ///ike passive esp from 10.110.39.0/24 to 10.115.20.0 peer <REMOTELOCATION2> main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk "psk" 

/My ipsec.conf on one of the remote location machines looks like this:

                           /#Main Office/
/ike esp from 10.115.20.0 to 10.110.39.0/24 peer <MAIN-OFFICE-IP1> main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk "psk" 

                           #Main Office Backup
/ /ike esp from 10.115.20.0 to 10.110.39.0/24 peer <MAIN-OFFICE-IP2> main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des group none psk "psk"
/This doesn't work. When I comment out the 'Backup' tunnel on the remote location machine the IP1 tunnel comes up just fine. When I try un-commenting it neither of the tunnels come up. I'm pretty sure that this is not SUPPOSED to work as the subnets are the same for both tunnels. I have played around with the various "ike [mode]" parameters, substituting dynamic,passive, etc in every possible combination.
I have configured isakmpd to listen on both interfaces on the main office machine. 

ie.

   /[general]
  Listen-on=IP1,IP2
/I have also tried to just change the default routes on the main office machine and restart isakmpd. Can anyone recommend a way to do VPN failover in this manner? Is it possible to use the DPD of dynamic mode to somehow make isakmpd negotiate a backup tunnel when the main tunnel goes down? 


Thanks so much,


Steve
/

/

Reply via email to