Hi,
We have pairs of firewalls at all our remote office sites, with CARP
interfaces on all physical interfaces. Head office also has a pair..
Every remote office site has IPSec VPNs to the head office (built
against the CARP IPs and using sasyncd etc..). NB: VPN fail-over works
brilliantly whether its a fail-over at the head office or remote office :)
To allow the remote firewalls themselves to use the VPNs (for
monitoring/reporting back to HQ etc) we have to add a static route for
the head office network onto the remote office firewalls which goes via
the remote office firewalls local internal CARP interface.
This ensures the packet is generated by the remote office firewall with
a source IP of it's internal interface (so as to match the IPSec VPN
Policy based route), and so that the backup firewall sends its traffic
to the current master which is running the VPN.
E.g. 10.0.0/24 is the head office network on the other side of the VPN.
10.16.0.254 is the CARP interface on the inside of the remote office
firewalls
[OFFICE]root@stfw2:~# netstat -rn | grep 10.0.0
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
10.0.0/24 10.16.0.254 UGS 2 4342 - 8 em1
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10.0.0/24 0 10.16.0/24 0 0
178.78.113.100/esp/use/in
10.16.0/24 0 10.0.0/24 0 0
178.78.113.100/esp/require/out
However, the master firewall throws this error (*many* times a second
continuously);
arpresolve: 10.16.0.254: route without link local address
This seems to happen because on the master the route for the CARP
interface has no MAC;
Destination Gateway Flags Refs Use Mtu Prio Iface
10.16.0.254 10.16.0.254 UH 1 4 - 4 carp1
Is their a way around this? We just want both of the remote firewalls to
be able to use the IPSec VPN back to head office.
This error can't be good or healthy to just ignore with the rate it
occurs :(
Cheers, Andy.