hi,
i’m running vyos (current stable release) on two servers, for failover, i’m using cluster rather than vrrp.
i have one server with an external ip of 192.168.2.25
the other server as an external ip of 192.168.2.26
the service ip for these two is 192.168.2.27
the internal interfaces are using using vlans, there are several vif’s, all of these are in the same cluster group
the full cluster configuration is:
cluster {
dead-interval 8000
group cluster1 {
auto-failback true
monitor 192.168.2.1
monitor 192.168.100.132
primary fw1
secondary fw2
service 192.168.100.129/25/eth1.11
service 192.168.101.254/27/eth1.11
service 192.168.102.190/27/eth1.11
service 192.168.50.1/24/eth1.5
service 192.168.2.27/24/eth0
service 192.168.40.1/24/eth1.40
}
interface eth0
interface eth1.11
interface eth1.5
interface eth1.40
keepalive-interval 2000
monitor-dead-interval 20000
pre-shared-secret ****************
}
i have an l2tp/ipsec vpn working, using x509 certificates.
the configuration is:
ipsec {
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
exclude 192.168.40.0/24
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username lee {
password test
static-ip 192.168.40.151
}
}
mode local
}
client-ip-pool {
start 192.168.40.11
stop 192.168.40.200
}
ipsec-settings {
authentication {
mode x509
x509 {
ca-cert-file /config/auth/SCL_CA.crt
server-cert-file /config/auth/l2tp_vpn.crt
server-key-file /config/auth/l2tp_vpn.pem
}
}
ike-lifetime 3600
}
outside-address 192.168.2.25
outside-nexthop 192.168.2.1
}
}
the ip’s and passwords will be changed for production, it’s just on a private test network at the moment.
as i said, the vpn IS working, but only because the outside address is set to the physical ip of eth0 and the vpn connection is set to connect to the physical ip. which means i need to keep changing the vpn connection depending on which firewall is working. i want to connect to the vip 192.168.2.27 but i can’t get it to connect if i set this as the outside address. how do i fix this?
also, there will only be a few vpn users, who will each get a static ip
(i want to restrict specific users to connections to different sets of servers, so i need to know which ip each one will use)
using the connection as it initially set ups in windows, it’s fine, everything goes through the tunnel, so routing is not a problem. but if the client connection is set as a split tunnel, the vpn connection gets no gateway or routing information, is there any way of automatically getting that?
thanks
lee.