[KLUG Members] Routers, VRRP, and VPNs
Adam Bultman
members@kalamazoolinux.org
Fri, 07 May 2004 10:54:28 -0400
Good morning, everyone.
I have a router/VPN question for you all.
I have two linux routers. Using VRRP, they balance a third IP that is
the default incoming/outgoing IP address. I've tested failover, and
they both correctly failover, assuming the VRRP daemon is running.
Things get tricky when I introduce VPNs. Each router has a 'real'
address, and then they share the VRRP address. Unfortunately, you can't
have VPNs on VRRP addresses, so they are currently tied to one router
(this was the 'only' router in the past).
I'm going to be contacting each client asking them to add the secondary
router's hard IP address to their VPN setup so that I can 'fail them
over' in the case of a primary router failure.
However, my question is, what kind of adverse effects will we get when
the router on the other end is configured for another VPN on the same
network? I tried to do this once already with a customer with I believe
a cisco 1710 or 1720. When we brought up the VPN on the second router,
it pretty much wiped out its ability to pass traffic. From our end,
FreeS/WAN would say the VPN was connected, but it wouldn't stay up on
their end. Bringing up the second VPN effectively borked the configs so
that it couldn't connect to EITHER router, and it had to be cleared and
manually re-inputted in order to bring the VPNs back up.
For the most part, I believe I am connecting to Cisco routers, and I'd
really like to have them all able to connect to my secondary router. Am
I going to be in for many headaches with this? Is what I want even
possible? Or could I solve this with routing on my two linux routers on
my end? Could I sourceroute my packets for VPN traffic on the secondary
router so it *appears* to be coming from it?
Any ideas would be nice, any at all!
Adam