PDA

View Full Version : VPN with VRRP SUPPORT



cpuo2006
2006-07-17, 01:15
Hi Team,

i would like to confirm if it is normal behaviour for VPN with VRRP support.(HA)

i have two IP380 running IPSO3.8 with NG R55, physical ip for fw1 is 198.14.120.153 and physical ip for fw2 is 198.14.120.154, VRRP ip is 198.14.120.155, when isakmp is negotiating, VRRP ip address is using for both inbound and outbound connection, however when ipsec is negotiating, VRRP is using for inbound connection but physical ip of active box is using for outbound connection. Here are tcpdump on external interface:

17:51:23.959990 I 12.36.175.198.500 > 198.14.120.155.500: [|isakmp]

17:51:23.966668 O 198.14.120.155.500 > 12.36.175.198.500: [|isakmp]

17:51:24.281775 O 198.14.120.153 > 12.36.175.198: ESP(spi=8a8e5160,seq=0x1)

17:51:26.755997 I 12.36.175.198 > 198.14.120.155: ESP(spi=8d6ca8fe,seq=0x1)

17:51:26.765775 O 198.14.120.153 > 12.36.175.198: ESP(spi=8a8e5160,seq=0x2)


any information or comments will be appreciated.

Best regards,

CPUO2006

david
2006-07-17, 08:45
you should be seeing the traffic coming from your VRRP address.
do you have the VRRP address defined as the IP of the cluster object?

cpuo2006
2006-07-17, 09:10
of course, VRRP ip address is used as ip of cluster object.

It is really weird.

Regards,

CPUO2006

cpuo2006
2006-07-19, 11:49
Hi All,

Do you know if there is any way to force the Nokia IP380 to use VRRP ip for VPN outbound connections?

My system:

-two ip380 running IPSO3.8
-NG with application intellegence, R55.

VRRP was configured on both, but active box ip was used for VPN outbound connections and being dropped by VPN peers.

Any help will be appreciated.

Best regards,

cheni