I've been thinking about this as well. Perhaps one way to deal with the
master returning online is with ifstated: the backup could run a script
after a CARP change, tearing down the existing tunnel and allowing the
master firewall to establish a new IPSec tunnel.
Sean
Dave Mangot wrote:
We are
We are thinking of running an IPSEC tunnel over a
CARP interface.
I know that with firewalling the two machines exchange
state tables with pfsync so that everything looks seamless.
With an IPSEC tunnel, I'm guessing each machine would
have to negotiate a key exchange with the remote VPN
machine. T