[prev in list] [next in list] [prev in thread] [next in thread]
List: keepalived-devel
Subject: Re: [Keepalived-devel] Freeswan IPSec does not start on VIP, but on the RIP
From: ken <lists () nettwrek ! com>
Date: 2004-04-22 18:19:10
Message-ID: 1082657950.40880c9e16c22 () email ! nettwrek ! com
[Download RAW message or body]
Sorry for the late join on this thread (I only check this list about once every
other week or so), but I've been using solution #3 with super-freeswan for
about 18 months now with no problems.
In your freeswan config, make sure you have the interface defined:
-------------------------
## /etc/ipsec.conf
#
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=vlan65:0"
-------------------------
/etc/keepalived/vpn_start
-------------------------
#!/bin/sh
#
sleep 2
ip addr add 10.0.0.5/24 brd 10.0.0.255 dev vlan65 label vlan65:0
/usr/local/bin/garp -i vlan65 -a 10.0.0.5 -n 3
modprobe ipsec_aes
modprobe ipsec_sha2
sleep 1
/etc/rc.d/init.d/ipsec start
-------------------------
/etc/keepalived/vpn_start
-------------------------
#!/bin/sh
#
/etc/rc.d/init.d/ipsec stop
ip addr del 10.0.0.5/24 brd 10.0.0.255 dev vlan65 label vlan65:0
rmmod ipsec_aes
rmmod ipsec_sha2
/etc/rc.d/init.d/ipsec stop
-------------------------
It's that easy.
-Ken
Quoting pivert <pivert@ibelgique.com>:
> Hello !!
>
> Thanks for all theses answer..
>
> So I assume there is no "Good" solution as I didn't find any parameter
> that allows to specify the ip address in Freeswan (gentoo-2.4.25)
>
> So here are some possible workaround :
> PS: It's on the server side so the connections are just in "auto=add".
>
> 1. I had one connection by first starting ipsec then making : "ip addr
> add x.x.x.130 dev ipsec0 scope link", with eventually "ip addr flush dev
> ipsec0" before. This worked once then I have been unable to make it work
> again.. ?!
>
> 2. When I compiled the freeswan into the kernel (not as module), as the
> ipsec interfaces are always there, I have been able to make the "ip addr
> add x.x.x.130 dev ipsec0" before starting ipsec... and as far as I
> remember, it worked. (I have to check again this solution)
>
> 3. Use a notify_master "/usr/local/bin/becomingMaster.sh" script to
> first issue an ifconfig command such as "ifconfig eth2:0 x.x.x.130"
> before starting ipsec (ipsec.conf accept the notation interface=eth2:0),
> and then disable the eth2:0 with a notify_backup and notify_fault script.
>
> 4. As Scott proposed, try with a 2.6 kernel.
>
> The GRE solution should work to... but if the goal is just to have a
> numbered GRE interface. The ifconfig solution is easier for me as I have
> multiple tunnels running on this box, and would prefer to not having to
> reconfigure all of them.
>
> I think I 'll try workarounds in this order : 4, 3, 2
-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Keepalived-devel mailing list
Keepalived-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/keepalived-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic