Hello all!
I have got the following configuration (simplified):
Two gateways (gw2,gw3) establish a connection to another gateway (gw1).
gw2 and gw3 have a different subnet behind them. But, if maybe gw2
fails, gw3 overtakes the subnet of gw2. So a separate connection has to
be started at gw3, which defines, that it now routes the messages to the
subnet of gw2. Additionally it continues routing messages to its own subnet.
To test this scenario, I started ipsec on gw1 and thereafter on gw2 and
gw3. Thereafter I added the connection of gw2's subnet on gw2 and the
connection of gw3's subnet on gw3.
Now gw1 has two tunnels, one to gw2 and one to gw3. gw2 and gw3 each has
a tunnel to gw1.
To simulate the switch over, I just added the connection (which
specifies that gw3 routes messages to subnet of gw2) to gw2's subnet at
gw3. gw1 immediately has two tunnels two gw3, one to gw3's subnet and
one to gw2's subnet.
But if I want to simulate now, that gw3 fails and gw2 routes all
messages it doesn't work.
In short, gw3 can always fetch both tunnels, but gw2 can just fetch both
tunnels, when I make a ipsec auto --down of all connections.
For a working switchover I get the following message in /var/log/messages:
Jul 16 17:24:47 gw1 Pluto[4207]: "gw.gs-scc2" #28: route to peer's
client conflicts with "gw.hk-scc1" 192.168.189.3; releasing old
connection to free the route
and this for a not working switchover:
Jul 16 17:25:33 gw1 Pluto[4207]: packet from 192.168.189.3:500: Quick
Mode message is for a non-existent (expired?) ISAKMP SA
Can anybody help me. I would be very thankful.
Andreas
PS: I'm using freeS/WAN 1.91 with x509 patch (0.9.5)
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:23 CEST