[EMAIL PROTECTED] wrote:
I have a redundant firewall setup with carp interfaces on both sides of the
firewall. I have a mirror of this setup in a 2nd location. Now im a little
confused on how to set up the VPN. Do I use 1) the physical interfaces
between the peers or 2) do I use the carp interface as the peers or 3)do I
use both the physical and carp interfaces as the peers.
When trying to setup sasyncd in this sort of enviornment I cant get the
slave firewall to establish an IKE session because of the ips of the peers.
Can anyone give me any insight into this?
What I have been doing is setting up the VPNs between the sites using
the carp addrs. sasync follows the state of the carp interface so you
should get
box a - - box y-
\ / \
carp 0 -------vpn----carp 0 carp1 --internal nets
/ \ /
box c - - box z-
a netstat -rnf encap run on a and c should look the same
and y and z should as well. Packets will only be forwarded down the
tunnel by the machine who is carp master of either end. You will
probably want to have internal carp ifaces as well, as seen on boxes y
and z.
