Hello List,
I'm having some issues with IPSec VPN tunnels.
Here is what I'm trying to do:
I have a VPN 'server' with 2 internet connections (IP1, IP2)
I have several remote locations which connect to the VPN server.
When IP1 goes down on the VPN server I want the remote
locations to negotiate the tunnel with IP2
What is the best way to accomplish this? I have tried a couple of
different things, none successful.
My ipsec.conf on the server looks like this:
/#Remote Location 1/
/ ike passive esp from 10.110.39.0/24 to
10.115.10.0 peer <REMOTELOCATION1> main auth hmac-sha1 enc 3des quick
auth hmac-sha1 enc 3des group none psk "psk"
#Remote Location 2
/ ///ike passive esp from 10.110.39.0/24 to
10.115.20.0 peer <REMOTELOCATION2> main auth hmac-sha1 enc 3des quick
auth hmac-sha1 enc 3des group none psk "psk"
/My ipsec.conf on one of the remote location machines looks like this:
/#Main Office/
/ike esp from 10.115.20.0 to 10.110.39.0/24
peer <MAIN-OFFICE-IP1> main auth hmac-sha1 enc 3des quick auth hmac-sha1
enc 3des group none psk "psk"
#Main Office Backup
/ /ike esp from 10.115.20.0 to
10.110.39.0/24 peer <MAIN-OFFICE-IP2> main auth hmac-sha1 enc 3des quick
auth hmac-sha1 enc 3des group none psk "psk"
/This doesn't work. When I comment out the 'Backup' tunnel on the remote
location machine the IP1 tunnel comes up just fine. When I try
un-commenting it neither of the tunnels come up. I'm pretty sure that
this is not SUPPOSED to work as the subnets are the same for both
tunnels. I have played around with the various "ike [mode]" parameters,
substituting dynamic,passive, etc in every possible combination.
I have configured isakmpd to listen on both interfaces on the main
office ...
