Ah, piffle - looks like that bug was fixed after VC3 was released. You need to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected version from http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD or you can just comment out the check, if you're comfortable with perl.
Best, Justin On 12/12/07, Senad Uka <[EMAIL PROTECTED]> wrote: > Now we have found the right one and again we have the same problem. > > I configured the router EXACTLY as it is written in the manual, > clustering chapter :) > But still, even if the cluster is up and running and I can ping the > cluster ip adresses > it doesn't let me set local ip on the ipsec peer configuration to the > cluster ip address complaining that ip address is not address of the > interface or cluster address ... I have attached the configuration of > the first router > Currently i set the local-ip to the pysical interface's ip so i can > commit and save the config ... > also i didn't setup the second monitor node but as I understand, that > should not be the problem. > Configuration of second router is identical with respective interface > ip addresses changed (and has the same problem with local-ip) ... > > On Dec 11, 2007 5:25 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > > Certainly. Let me know if you need more information (though there's a new > > clustering chapter in the documentation for this :-) ) > > > > Best, > > Justin > > > > > > On Dec 11, 2007 8:22 AM, Senad Uka <[EMAIL PROTECTED]> wrote: > > > Thank you for the quick answer. > > > > > > > > > On Dec 11, 2007 5:11 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > > > > It is; clustering support was added recently exactly for scenarios such > > > > as this. > > > > You'll need to set up WEST and WEST backup as cluster members, define > > > > the IP addresses, and set up IPSec as the failover service. This will > > > > actually > > > > be using clustering instead of VRRP for your virtual address failover. > > > > > > > > Best, > > > > Justin > > > > > > > > > > > > On Dec 11, 2007 6:28 AM, Senad Uka <[EMAIL PROTECTED]> wrote: > > > > > Hello. > > > > > > > > > > I am trying to setup a network similar to the one in the configuration > > > > > manual under pre-shared key IPSEC VPN settings section, but adding a > > > > > VRRP backup router to the router named WEST in the manual (page 231). > > > > > > > > > > | SERVER | > > > > > 192.168.40.7/24 > > > > > | > > > > > | > > > > > * (virtual IP: 192.168.40.20) > > > > > / \ > > > > > / \ > > > > > / \ > > > > > 192.168.40.6/24 192.168.40.5/24 > > > > > | WEST | | WEST backup | > > > > > 192.0.2.2/26 192.168.0.2.3/26 > > > > > \ / > > > > > \ / > > > > > \ / > > > > > \ / > > > > > * (virtual IP: 192.0.2.1) > > > > > | > > > > > | > > > > > | > > > > > 192.0.2.33/26 > > > > > | EAST | > > > > > 192.168.60.8/24 > > > > > | > > > > > | > > > > > 192.168.60.7/24 > > > > > | CLIENT | > > > > > > > > > > Client communicates with server through IPSEC tunnel between EAST and > > > > > WEST routers. IF the WEST router goes down WEST backup should take > > > > > over. > > > > > I have setup the routers according to manual and it worked. When I > > > > > setup VRRP on the WEST, and set the ipsec peer on the EAST to the > > > > > virtual IP - the tunnel cannot be established. > > > > > >From the debug data for the ipsec I can see that the EAST is > > > > > >expecting > > > > > a tunnel 192.68.60/24===192.0.2.33...192.0.2.1===192.168.40.0/24 , > > > > > while the WEST doesn't use it's virtual address and expects > > > > > 192.168.40.0/24 ===192.0.2.2...192.0.2.33===192.68.60/24 so it cannot > > > > > finish the phase 2 negotiation ... > > > > > In order to solve it, I tried to setup the local-ip in ipsec > > > > > configuration on the WEST side to virtual IP address (192.0.2.1) but i > > > > > cannot commit the changes since vyatta does not recognize it as > > > > > address of an interface > > > > > (Message: Local IP specified for peer "192.0.2.33" has not been > > > > > configured in any of the ipsec interfaces or clustering.) > > > > > > > > > > Is my requested behaviour even possible to achieve? Am I missing > > > > > something ? > > > > > -- > > > > > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > > > > > _______________________________________________ > > > > > Vyatta-users mailing list > > > > > Vyatta-users@mailman.vyatta.com > > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > > > > > > > > > > > > > > > > > -- > > > > > > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > > > > > > > > > -- > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
