AW: [Openswan Users] Openswan and Checkpoint AI (R54) with RainwallCluster Software

Westerhold, Axel Axel.Westerhold at dts.de
Mon Apr 19 12:43:31 CEST 2004 

Thanks for the quick answer.

The problem looks like asymmetrical IPsec routing simply because this is not a failover solution but a loadbalancing solution. That's why I can define a VPN Gateway on Checkpoint and Cisco with more then one IP address. That way I can define   gateway = VIP,node1,node2. I was wondering if this is possible using freeswan.

Axel Westerhold
DTS Systeme GmbH
Datacenter - IT Security Team
Schrewestr. 4-8
Tel: (+49) 5221 101 1035
Fax: (+49) 5221 101 3001
Cell: (+49) 171 9754 756
PK: 1EF597FA

-----Ursprüngliche Nachricht-----
Von: Ken Bantoft [mailto:ken at xelerance.com] 
Gesendet: Montag, 19. April 2004 13:04
An: Westerhold, Axel
Cc: users at lists.openswan.org
Betreff: Re: [Openswan Users] Openswan and Checkpoint AI (R54) with RainwallCluster Software

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Mon, 19 Apr 2004, Westerhold, Axel wrote:

> Hi,
> 
> I am running into problems connecting Freeswan/Openswan VPN Gateways to
> various Checkpoint/Rainwall Cluster Systems.
> 
> The problems occurs because I haven't been able to identify any item
> within the Openswan config to define multiple IP's for the 'right='
> gateway. This will kill proper communication with Checkpoitn workload
> balancing clusters because a node will answer with an IP different then
> the Virtual IP assigned to the cluster. Many other IPSEC implementations
> (Cisco, Checkpoint etc) allow me to define the cluster node IP in
> addition to the virtual IP. As said I way unable to find this within
> Openswan. 
> 
> Anyone able to help ?

I've done CP interop for a few years, but not with clusters.  Try defining 
the virtual IP as rightsubnet=1.2.3.4/32.  But I'm not sure what 'a node 
will answer with an IP different then the Virtual IP assigned to the 
cluster' means - it sounds like its asymmetrical IPsec routing.



- -- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAg7InPiOgilmwgkgRAqmzAKC0bmzNn0kUjD4fbciVXXE6QzYb7QCgjI+O
IcxAhMBbtfIkmDLgv/1Bzwc=
=LeXt
-----END PGP SIGNATURE-----

More information about the Users mailing list