[Openswan Users] Virtual interfaces
Tuomo Soini
tis at foobar.fi
Tue Jul 19 23:27:12 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lionel Cottin wrote:
> Dear OpenSwan gurus,
>
> I'm currently having issues with OpenSWAN on RHEL3 using RH IPSEC stack.
> My setup is quite as follow:
>
> I run 2 servers configured as 1 HA cluster using hearbeat (active/passive).
> Openswan is configured to bind on eth0:0 which the virtual managed by heartbeat.
Your problem is here. You need not to bind to eth0:0 interface. You need
to bind that ip to eth0 using IPaddr2 resource script with heartbeat.
> Both the virtual and the underlying physical interfaces are on the same subnet.
> Each "IPSEC Client" has 2 connections defined: one in tunnel and the other one
> in transport mode.
>
> This setup worked like charm using RH7.3 based VPN routers and super freeswan
> 1.99 . However and since I migrated them to RHEL3/Openswan2.3.1 a few day ago,
> IPSEC is often "not" crashing but in a really bad state; I have to manually
> restart some connection very often.
I've not tried 2.3.1 but ipsec works ok with 2.4.0dr3 on my systems.
with rhel-3 based kernel.
>>From what I've seen till now, it seems that the error comes from pluto not being
> able to properly handle virtual IPs like eth0:0.
>
> When starting IPSEC connections I get error messages like:
> "XXXX": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete
> x.x.x.x/32 via x.x.x.x dev eth0:0 ' failed (Cannot find device "eth0:0")
Exactly. Fix is to change ${PLUTO_INTERFACE} in _updown script to
${PLUTO_INTERFACE%:*} or change to bind virtual ip to to eth0 with
IPaddr2 resource script of heartbeat-1.2.x Using IPsrcaddr might be
required too.
But another problem is that you need to do dynamic firewalling. I've
done that by using shorewall firewall and _updown script which is
managing shorewall dynamic rules.
- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFC3VQQTlrZKzwul1ERAmuhAJwIosBTaimPxAvGbmIUmf592nUwEACgiEhm
MJeF+YYF5tGQw3Ffafnv21I=
=6l8A
-----END PGP SIGNATURE-----
More information about the Users
mailing list