Hi everyone,
I try to get a redundant VPN (IKE, preshared) tunnel between a FW-1 clustern
and a CISCO Router to work. Using another FW-1 on the remote side I
experience no problems.
I have a the following cluster setup:
- Stonebeat Fullcluster 2.0 SP1
- FW-1 4.1 SP2
- Solaris 7.0
On the interface where I try to set up the VPN I route all traffic through
the cluster IP.
First negotiation is fine (when all VPN connection tables are cleared and
the SA table on the CISCO is clear also). When forcing it to use my second
node. It renegotiates the IKE connection and builds up the tunnel.
When I switch back again, it says on the CISCO that I have an invalid SA.
Same thing if I use the cluster as a hotstandby solution. The only thing
that helped (but not always) it to set the key-timeout values to the minimum
on both sides.
Thanx
Michael Boeing
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
