Here's a short howto. #1. Setup your tunnels to use "IP address" and the VIP carp member #2. Visit Vpn, IPSEC, Failover IPSEC, define the VIP ip address #3. Visit the other end of the tunnel, make sure the remote gateway is set as the CARP VIP #4. There is no step 3. Enjoy your failover IPSEC.
Scott On 2/14/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I'm having difficulties setting up CARP with IPSEC VPN. The idea is to have a tunnel always up, even if an individual firewall crashes. I will have a total of 3 sites with a dual-firewall configuration. A fourth with be a single firewall configuration. The CARP, as far as I can tell has completed and maintains sync just fine. I can browse the internet, send and receive files, etc. It does seem to be slightly pokey, but it works perfectly fine otherwise. I can set up tunnels between single firewalls with no problem, but I just can't quite get that connection to the VIP to happen. If I point the remote endpoint to the IP of FW1 (master), then the tunnel pops up just fine. One thing to note, I have noticed that sometimes the tunnel indicator on one endpoint says that the tunnel is up, even though traffic doesn't seem to be able to make itdown the tunnel. Here's my basic layout: INTERNET | VIP: 192.168.2.1 | | ------------------ WAN IP: 192.168.2.2 192.168.2.3 FW1FW2 LAN IP: 192.168.0.2 192.168.0.3 ----------------- | | VIP: 192.168.0.1 CARP IP:192.168.3.1 192.168.3.2 PFSENSE Version: 1.0.1 or 1.0.1 with snapshot from 2-13-07 Both versions seem to react the same for me. In my test scenario, I'm running dual-firewalls (with CARP) on one end with a single firewall on the other (3Com Superstack 3). My goal is to replace my Superstack3's with PFSENSE. I've seen quite a few posts about people making it connect to the VIP, I just haven't seen exactly how they do it. I'm ok with someone telling me to RTFM as long as I get a clue (I guess I need an obvious one) as to where to read. Thanks for any input!! Scott
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
