I'll definitely take you up on that, given the opportunity! Justin
On Dec 13, 2007 2:24 AM, Senad Uka <[EMAIL PROTECTED]> wrote: > Thank you - it finally works :) > If you ever come to Bosnia (small country in the heart of europe), > I'll buy you cevapi ;) > http://en.wikipedia.org/wiki/%C4%86evap%C4%8Di%C4%87i > > 2007/12/12, Justin Fletcher <[EMAIL PROTECTED]>: > > > Ah, piffle - looks like that bug was fixed after VC3 was released. You need > > to correct /opt/vyatta/sbin/vpn-config.pl .You can get the corrected > > version from > > http://suva.vyatta.com/git/?p=ofr.git;a=blob_plain;f=cli/scripts/vpn/vpn-config.pl;hb=HEAD > > or you can just comment out the check, if you're > > comfortable with perl. > > > > Best, > > Justin > > > > On 12/12/07, Senad Uka <[EMAIL PROTECTED]> wrote: > > > Now we have found the right one and again we have the same problem. > > > > > > I configured the router EXACTLY as it is written in the manual, > > > clustering chapter :) > > > But still, even if the cluster is up and running and I can ping the > > > cluster ip adresses > > > it doesn't let me set local ip on the ipsec peer configuration to the > > > cluster ip address complaining that ip address is not address of the > > > interface or cluster address ... I have attached the configuration of > > > the first router > > > Currently i set the local-ip to the pysical interface's ip so i can > > > commit and save the config ... > > > also i didn't setup the second monitor node but as I understand, that > > > should not be the problem. > > > Configuration of second router is identical with respective interface > > > ip addresses changed (and has the same problem with local-ip) ... > > > > > > On Dec 11, 2007 5:25 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > > > > Certainly. Let me know if you need more information (though there's a > > > > new > > > > clustering chapter in the documentation for this :-) ) > > > > > > > > Best, > > > > Justin > > > > > > > > > > > > On Dec 11, 2007 8:22 AM, Senad Uka <[EMAIL PROTECTED]> wrote: > > > > > Thank you for the quick answer. > > > > > > > > > > > > > > > On Dec 11, 2007 5:11 PM, Justin Fletcher <[EMAIL PROTECTED]> wrote: > > > > > > It is; clustering support was added recently exactly for scenarios > > > > > > such as this. > > > > > > You'll need to set up WEST and WEST backup as cluster members, > > > > > > define > > > > > > the IP addresses, and set up IPSec as the failover service. This > > > > > > will actually > > > > > > be using clustering instead of VRRP for your virtual address > > > > > > failover. > > > > > > > > > > > > Best, > > > > > > Justin > > > > > > > > > > > > > > > > > > On Dec 11, 2007 6:28 AM, Senad Uka <[EMAIL PROTECTED]> wrote: > > > > > > > Hello. > > > > > > > > > > > > > > I am trying to setup a network similar to the one in the > > > > > > > configuration > > > > > > > manual under pre-shared key IPSEC VPN settings section, but > > > > > > > adding a > > > > > > > VRRP backup router to the router named WEST in the manual (page > > > > > > > 231). > > > > > > > > > > > > > > | SERVER | > > > > > > > 192.168.40.7/24 > > > > > > > | > > > > > > > | > > > > > > > * (virtual IP: 192.168.40.20) > > > > > > > / \ > > > > > > > / \ > > > > > > > / \ > > > > > > > 192.168.40.6/24 192.168.40.5/24 > > > > > > > | WEST | | WEST backup | > > > > > > > 192.0.2.2/26 192.168.0.2.3/26 > > > > > > > \ / > > > > > > > \ / > > > > > > > \ / > > > > > > > \ / > > > > > > > * (virtual IP: 192.0.2.1) > > > > > > > | > > > > > > > | > > > > > > > | > > > > > > > 192.0.2.33/26 > > > > > > > | EAST | > > > > > > > 192.168.60.8/24 > > > > > > > | > > > > > > > | > > > > > > > 192.168.60.7/24 > > > > > > > | CLIENT | > > > > > > > > > > > > > > Client communicates with server through IPSEC tunnel between EAST > > > > > > > and > > > > > > > WEST routers. IF the WEST router goes down WEST backup should take > > > > > > > over. > > > > > > > I have setup the routers according to manual and it worked. When I > > > > > > > setup VRRP on the WEST, and set the ipsec peer on the EAST to the > > > > > > > virtual IP - the tunnel cannot be established. > > > > > > > >From the debug data for the ipsec I can see that the EAST is > > > > > > > >expecting > > > > > > > a tunnel 192.68.60/24===192.0.2.33...192.0.2.1===192.168.40.0/24 , > > > > > > > while the WEST doesn't use it's virtual address and expects > > > > > > > 192.168.40.0/24 ===192.0.2.2...192.0.2.33===192.68.60/24 so it > > > > > > > cannot > > > > > > > finish the phase 2 negotiation ... > > > > > > > In order to solve it, I tried to setup the local-ip in ipsec > > > > > > > configuration on the WEST side to virtual IP address (192.0.2.1) > > > > > > > but i > > > > > > > cannot commit the changes since vyatta does not recognize it as > > > > > > > address of an interface > > > > > > > (Message: Local IP specified for peer "192.0.2.33" has not been > > > > > > > configured in any of the ipsec interfaces or clustering.) > > > > > > > > > > > > > > Is my requested behaviour even possible to achieve? Am I missing > > > > > > > something ? > > > > > > > -- > > > > > > > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > > > > > > > _______________________________________________ > > > > > > > Vyatta-users mailing list > > > > > > > Vyatta-users@mailman.vyatta.com > > > > > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > > > > > > > > > > > > > > > > > > > > > -- > > > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > > > > > > > > > > > -- > > LA ILAHE ILLA ENTE, SUBHANEKE INNI KUNTU MINE-ZZALIMIN > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
