AW: [Openswan Users] Openswan and Checkpoint AI (R54) with
Axel.Westerhold at dts.de
Mon Apr 19 12:43:31 CEST 2004
Thanks for the quick answer.
The problem looks like asymmetrical IPsec routing simply because this is not a failover solution but a loadbalancing solution. That's why I can define a VPN Gateway on Checkpoint and Cisco with more then one IP address. That way I can define gateway = VIP,node1,node2. I was wondering if this is possible using freeswan.
DTS Systeme GmbH
Datacenter - IT Security Team
Tel: (+49) 5221 101 1035
Fax: (+49) 5221 101 3001
Cell: (+49) 171 9754 756
Von: Ken Bantoft [mailto:ken at xelerance.com]
Gesendet: Montag, 19. April 2004 13:04
An: Westerhold, Axel
Cc: users at lists.openswan.org
Betreff: Re: [Openswan Users] Openswan and Checkpoint AI (R54) with RainwallCluster Software
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 19 Apr 2004, Westerhold, Axel wrote:
> I am running into problems connecting Freeswan/Openswan VPN Gateways to
> various Checkpoint/Rainwall Cluster Systems.
> The problems occurs because I haven't been able to identify any item
> within the Openswan config to define multiple IP's for the 'right='
> gateway. This will kill proper communication with Checkpoitn workload
> balancing clusters because a node will answer with an IP different then
> the Virtual IP assigned to the cluster. Many other IPSEC implementations
> (Cisco, Checkpoint etc) allow me to define the cluster node IP in
> addition to the virtual IP. As said I way unable to find this within
> Anyone able to help ?
I've done CP interop for a few years, but not with clusters. Try defining
the virtual IP as rightsubnet=22.214.171.124/32. But I'm not sure what 'a node
will answer with an IP different then the Virtual IP assigned to the
cluster' means - it sounds like its asymmetrical IPsec routing.
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
The future is here. It's just not evenly distributed yet.
-- William Gibson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Users