[Openswan Users] Virtual interfaces

[Lionel Cottin]

Dear Tuomo,

Thank you for all these tips ;-) I'll try to give them a try as soon as possible
and will let you know about the results.

It's quite funny that you answered this question because one of my first
motivation to migrate all Linux systems to RHEL is the fact that you stopped
the maintenance of RH 7.x kernels on foobar.fi !!!

One more question regarding your own setup; are you using the IPSEC stack
provided by RH or Klips ??

Regards,
Lionel

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lionel Cottin wrote:
> > Dear OpenSwan gurus,
> >
> > I'm currently having issues with OpenSWAN on RHEL3 using RH IPSEC stack.
> > My setup is quite as follow:
> >
> > I run 2 servers configured as 1 HA cluster using hearbeat (active/passive).
> > Openswan is configured to bind on eth0:0 which the virtual managed by
> heartbeat.
>
> Your problem is here. You need not to bind to eth0:0 interface. You need
> to bind that ip to eth0 using IPaddr2 resource script with heartbeat.



> > Both the virtual and the underlying physical interfaces are on the same
> subnet.
> > Each "IPSEC Client" has 2 connections defined: one in tunnel and the other
> one
> > in transport mode.
> >
> > This setup worked like charm using RH7.3 based VPN routers and super
> freeswan
> > 1.99 . However and since I migrated them to RHEL3/Openswan2.3.1 a few day
> ago,
> > IPSEC is often "not" crashing but in a really bad state; I have to manually
> > restart some connection very often.
>
> I've not tried 2.3.1 but ipsec works ok with 2.4.0dr3 on my systems.
> with rhel-3 based kernel.
>
> >>From what I've seen till now, it seems that the error comes from pluto not
> being
> > able to properly handle virtual IPs like eth0:0.
> >
> > When starting IPSEC connections I get error messages like:
> > "XXXX": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route
> delete
> > x.x.x.x/32 via x.x.x.x dev eth0:0 ' failed (Cannot find device "eth0:0")
>
> Exactly. Fix is to change ${PLUTO_INTERFACE}  in _updown script to
> ${PLUTO_INTERFACE%:*} or change to bind virtual ip to to eth0 with
> IPaddr2 resource script of heartbeat-1.2.x Using IPsrcaddr might be
> required too.
>
> But another problem is that you need to do dynamic firewalling. I've
> done that by using shorewall firewall and _updown script which is
> managing shorewall dynamic rules.
>
>
> - --
> Tuomo Soini <tis at foobar.fi>
> Linux and network services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFC3VQQTlrZKzwul1ERAmuhAJwIosBTaimPxAvGbmIUmf592nUwEACgiEhm
> MJeF+YYF5tGQw3Ffafnv21I=
> =6l8A
> -----END PGP SIGNATURE-----
>


--
Lionel Cottin
mailto:cottin at free.fr