Ok that setup is similar to what I have and I do have carp interfaces on
both sides of the firewall. I was able to configure sasynd but when running
netstat -rnf encap was not able to see any of the flows on the slave
machine, but then I realized or thought that it was because the ISAKMPD
session was not established on the slave machine.

If your trying to establish the ISAKMPD session from the slave box which
does not have control of the active carp interface, how is the ISAKMPD/IPSEC
connection established? Doesn't it need to be established for sasynd to know
about the SA's? or upon failover does the session then get established on
the fly? Do you use isakmpd.conf or ipsec.conf to control your flows?

Thanks.

On 5/2/07, Dag Richards <dagrichards@speakeasy.net> wrote:
quoted text
>
> askthelist@gmail.com wrote:
> > I have a redundant firewall setup with carp interfaces on both sides of
> the
> > firewall. I have a mirror of this setup in a 2nd location. Now im a
> little
> > confused on how to set up the VPN. Do I use 1) the physical interfaces
> > between the peers or 2) do I use the carp interface as the peers or 3)do
> I
> > use both the physical and carp interfaces as the peers.
> >
> > When trying to setup sasyncd in this sort of enviornment I cant get the
> > slave firewall to establish an IKE session because of the ips of the
> peers.
> > Can anyone give me any insight into this?
> >
>
> What I have been doing is setting up the VPNs between the sites using
> the carp addrs.  sasync follows the state of the carp interface so you
> should get
>
>
>
>       box a -                           - box y-
>             \                          /        \
>             carp 0 -------vpn----carp 0          carp1 --internal nets
>              /                         \        /
>       box c -                           - box z-
>
> a netstat -rnf encap run on a and c should look the same
> and y and z should as well. Packets will only be forwarded down the
> tunnel by the machine who is carp master of either end. You will
> probably want to have internal carp ifaces as well, as seen on boxes y
> and z.