[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN and CARP?

I've been thinking about this as well. Perhaps one way to deal with the master returning online is with ifstated: the backup could run a script after a CARP change, tearing down the existing tunnel and allowing the master firewall to establish a new IPSec tunnel.


Dave Mangot wrote:
We are thinking of running an IPSEC tunnel over a
CARP interface.

I know that with firewalling the two machines exchange
state tables with pfsync so that everything looks seamless.

With an IPSEC tunnel, I'm guessing each machine would
have to negotiate a key exchange with the remote VPN
machine.  The backup would initiate a new negotiation
if the master went down and the tunnel would come
back up.  If the master came back up, I guess that could
be sketchy.  Am I right?

Are we nuts? Will this work? Has anyone done it?

Proposed arch:

    -----------                              |  FW A        |   | Remote    |                             | --------------
   | VPN       |-------IPSEC tunnel-------   carp0
   |           |                             |    -----------                               --------------
                                             | FW B        |                                              --------------