It is; clustering support was added recently exactly for scenarios such as this. You'll need to set up WEST and WEST backup as cluster members, define the IP addresses, and set up IPSec as the failover service. This will actually be using clustering instead of VRRP for your virtual address failover.
Best, Justin On Dec 11, 2007 6:28 AM, Senad Uka <[EMAIL PROTECTED]> wrote: > Hello. > > I am trying to setup a network similar to the one in the configuration > manual under pre-shared key IPSEC VPN settings section, but adding a > VRRP backup router to the router named WEST in the manual (page 231). > > | SERVER | > 192.168.40.7/24 > | > | > * (virtual IP: 192.168.40.20) > / \ > / \ > / \ > 192.168.40.6/24 192.168.40.5/24 > | WEST | | WEST backup | > 192.0.2.2/26 192.168.0.2.3/26 > \ / > \ / > \ / > \ / > * (virtual IP: 192.0.2.1) > | > | > | > 192.0.2.33/26 > | EAST | > 192.168.60.8/24 > | > | > 192.168.60.7/24 > | CLIENT | > > Client communicates with server through IPSEC tunnel between EAST and > WEST routers. IF the WEST router goes down WEST backup should take > over. > I have setup the routers according to manual and it worked. When I > setup VRRP on the WEST, and set the ipsec peer on the EAST to the > virtual IP - the tunnel cannot be established. > >From the debug data for the ipsec I can see that the EAST is expecting > a tunnel 192.68.60/24===192.0.2.33...192.0.2.1===192.168.40.0/24 , > while the WEST doesn't use it's virtual address and expects > 192.168.40.0/24 ===192.0.2.2...192.0.2.33===192.68.60/24 so it cannot > finish the phase 2 negotiation ... > In order to solve it, I tried to setup the local-ip in ipsec > configuration on the WEST side to virtual IP address (192.0.2.1) but i > cannot commit the changes since vyatta does not recognize it as > address of an interface > (Message: Local IP specified for peer "192.0.2.33" has not been > configured in any of the ipsec interfaces or clustering.) > > Is my requested behaviour even possible to achieve? Am I missing something ? > -- > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
