[KLUG Members] Routers, VRRP, and VPNs

[Adam Bultman]

Good morning, everyone.

I have a router/VPN question for you all.

I have two linux routers.   Using VRRP, they balance a third IP that is 
the default incoming/outgoing IP address.  I've tested failover, and 
they both correctly failover, assuming the VRRP  daemon is running.

Things get tricky when I introduce VPNs.  Each router has a 'real' 
address, and then they share the VRRP address.  Unfortunately, you can't 
have VPNs on VRRP addresses, so they are currently tied to one router 
(this was the 'only' router in the past).

I'm going to be contacting each client asking them to add the secondary 
router's hard IP address to their VPN setup so that I can 'fail them 
over' in the case of a primary router failure.

However, my question is, what kind of adverse effects will we get when 
the router on the other end is configured for another VPN on the same 
network?  I tried to do this once already with a customer with I believe 
a cisco 1710 or 1720.  When we brought up the VPN on the second router, 
it pretty much wiped out its ability to pass traffic.  From our end, 
FreeS/WAN would say the VPN was connected, but it wouldn't stay up on 
their end.  Bringing up the second VPN effectively borked the configs so 
that it couldn't connect to EITHER router, and it had to be cleared and 
manually re-inputted in order to bring the VPNs back up.

For the most part, I believe I am connecting to Cisco routers, and I'd 
really like to have them all able to connect to my secondary router.  Am 
I going to be in for many headaches with this?  Is what I want even 
possible?  Or could I solve this with routing on my two linux routers on 
my end?  Could I sourceroute my packets for VPN traffic on the secondary 
router so it *appears* to be coming from it?

Any ideas would be nice, any at all!

Adam