[Openswan Users] 2x openswan + heartbeat + cisco ASA

Sun Mar 15 03:47:28 EDT 2009

Hi All

I use heartbeat in order to active backup. I have virtual IP on my LAN 
and WAN interface.

node01 IPaddr::[WAN_ip_vitual]/24/eth0/
node01 IPaddr::[LAN_ip_virtual]/26/eth1/ dhcpd ipsec

the problem is that the tunnel is unstable. Sometimes i can't initialize 
tunnel from LAN side. I must restart tunel few times. Tcpdump see 
packets but iptables don't see packet, which should go through the tunnel:

i have only this rules : iptables -L -t nat -v
0     0 RETURN     all  --  any    any   [lan_ip] [remote lan ip]
0     0 SNAT       all  --  any    any   [lan_ip] [internet]to:WAN ip

It's my config:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
         klipsdebug=none
         plutodebug=none
         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
         protostack=netkey
         interfaces=%defaultroute

conn %default
         keyingtries=0
         disablearrivalcheck=no
         authby=secret
         auto=start
         keyingtries=3
         auto=start
         keyexchange=ike
         pfs=no

conn 01
         left=wan_virt_ip
         leftsubnet=LAN/26
         leftnexthop=isp_gw
         leftsourceip=lan_virt_ip
         right=remote_cisco_ip
         rightsubnet=remote_lan/24
         rightnexthop=remote_isp_gw

When i disable heartbeat and I use only real address everything working 
stable. Someone know where is the problem ? thank You in advance for any 
clue

best regards
Piotr

----------------------------------------------------------------------
"Teraz gry" - program dla prawdziwych graczy! >>> http://link.interia.pl/f2080