Ok that setup is similar to what I have and I do have carp interfaces on both sides of the firewall. I was able to configure sasynd but when running netstat -rnf encap was not able to see any of the flows on the slave machine, but then I realized or thought that it was because the ISAKMPD session was not established on the slave machine.
If your trying to establish the ISAKMPD session from the slave box which does not have control of the active carp interface, how is the ISAKMPD/IPSEC connection established? Doesn't it need to be established for sasynd to know about the SA's? or upon failover does the session then get established on the fly? Do you use isakmpd.conf or ipsec.conf to control your flows? Thanks. On 5/2/07, Dag Richards <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] wrote: > > I have a redundant firewall setup with carp interfaces on both sides of > the > > firewall. I have a mirror of this setup in a 2nd location. Now im a > little > > confused on how to set up the VPN. Do I use 1) the physical interfaces > > between the peers or 2) do I use the carp interface as the peers or 3)do > I > > use both the physical and carp interfaces as the peers. > > > > When trying to setup sasyncd in this sort of enviornment I cant get the > > slave firewall to establish an IKE session because of the ips of the > peers. > > Can anyone give me any insight into this? > > > > What I have been doing is setting up the VPNs between the sites using > the carp addrs. sasync follows the state of the carp interface so you > should get > > > > box a - - box y- > \ / \ > carp 0 -------vpn----carp 0 carp1 --internal nets > / \ / > box c - - box z- > > a netstat -rnf encap run on a and c should look the same > and y and z should as well. Packets will only be forwarded down the > tunnel by the machine who is carp master of either end. You will > probably want to have internal carp ifaces as well, as seen on boxes y > and z.
