[Sidewinder] Sidewinder to Sidewinder (6.x) IPSEC SAs withfloatingIPs
Sidewinder moderated discussion list
sidewinder at adeptech.com
Wed May 27 06:24:19 EDT 2009
Thank you for your reply.
I'm not sure that what you stated quite applies. In this situation, we
have a working tunnel that is interrupted due to a downed feed. The LLB
does its job and routes over a different feed, causing the far endpoint
to see requests to raise a tunnel from a different IP than stated in the
SA.
I have tried creating multiple SAs, but Sidewinder seems to grab the
first in the list with matching networks and that's often not the one
for the incoming IP. So it fails.
-----Original Message-----
From: sidewinder-bounces at adeptech.com
[mailto:sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder
moderated discussion list
Sent: Tuesday, May 26, 2009 2:36 PM
To: sidewinder at adeptech.com
Subject: Re: [Sidewinder] Sidewinder to Sidewinder (6.x) IPSEC SAs
withfloatingIPs
I am guessing that you see packets for a given session arriving across
the range of tunnel endpoints.
In that case, your link lb solution should provide something akin to a
gateway pool with each possible path defined. Then it should be able to
persist a connection until something forces an alternate selection (at
which point a new tunnel will be selected). Then you can define the
tunnel endpoints on the SW and you won't see packets arriving
willy-nilly, there will be session persistence.
This isn't something your SW would control, it is controlled by the
multi-homed side that initiates the tunnel.
Mike
-----Original Message-----
From: sidewinder-bounces at adeptech.com
[mailto:sidewinder-bounces at adeptech.com] On Behalf Of Sidewinder
moderated discussion list
Sent: Sunday, May 24, 2009 12:28 PM
To: sidewinder at adeptech.com
Subject: [Sidewinder] Sidewinder to Sidewinder (6.x) IPSEC SAs with
floatingIPs
Does anyone have experience with site-to-site gateway Sidewinder VPNs
where on remote IP address may change over time?
We have many VPNs between our Sidewinder 6.x firewalls. They provide a
backup for our MPLS network and, in some cases, essential site-to-site
connectivity where an MPLS network endpoint is cost-prohibitive. Life
has been great for a long time, but then we added link load balancing
technology to our main site.
This now means that our main site may initiate a VPN from one of three
different IP addresses. Sidewinder does not love this scenario. You
must specify a remote gateway, and ours changes. I have tried creating
a separate SA for each possible IP, but that does not work.
We are trying to provide access to whole networks behind the
Sidewinders, so I believe "Fixed IP" is our only option. Surely we are
not the only ones doing this. How do you all configure your
environment?
Details:
Tunnel Encaps.
Fixed IP mode
_______________________________________________
Sidewinder mailing list
Sidewinder at adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder at adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
More information about the Sidewinder
mailing list