I have a pair of pfsense 1.2RC2 firewalls with FW-A being the master which synchronises to FW-b, they use CARP on both internal and external interfaces for automatic failover.
I set up a bunch of openvpn configs for staff for "road-warrior" vpns (using shared key, one vpn configured per member of staff). As far as I can see the openvpn configuration does no replicate across, so, in case of failure, I set up almost identical configs on each firewall, but of course the IP addresses are different. Internally, FW-Cluster is 10.0.0.1, FW-A is 10.0.0.2, FW-B is 10.0.0.3 Then FW-A openvpn is 10.0.1.x and FW-B is 10.0.2.x As far as I can see openvpn sessions do not synchronise state between machines. This means that I need to have additional routes so that FW-A knows to route FW-B's openvpn addresses to FW-B and vice versa. It does mean that I can't set up routes to networks at the other ends of the tunnels because I don't know in advance which firewall the tunnel will "come out of". Is there a better way to achieve this, i.e. can the firewalls synchronise vpn setup and state in some way? thanks Paul --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
