I’m trying to do a redundant router setup where I need IPSec connectivity to the VRRP address.
The VRRP part seems to be working ok, takes a few seconds for the backup to take over when I disconnect the master, but it’s been working everytime in my test setup. I can ping the VRRP address or use it as a gateway address without any problems. (I’ve tried doing VRRP before with virtual machines, didn’t work there… but seems to be ok with physical machines)
However the IPSec part is more problematic.
When using the master router it’s possible to establish an IPSec connection without any problems.
When the backup takes over it’s at best flaky, sometimes IPSec is able to establish a connection, sometimes not - if I take the master offline, and restart the backup then it tends to be possible to get the IPSec connection running, but if I e.g. enable/disable ipsec then it doesn’t start again . When the backup just takes over it never works. When the master takes over again it works again right away without any problems.
I’ve made a some little scripts to disable/enable the ipsec rules on the routers on both the connecting router and on the VRRP routers when something changes. This should flush SA’s and restart all key exchanges etc. ?
All routers are version 2.9.26 for x86. Ipsec setup is identical on master and backup VRRP router. VRRP was setup up on each of them, configurations aren’t copied.
The only difference I can see between the master and backup VRRP router is just that, one is master and one is backup.
Anyone have any suggestion what to look for?
regards,
Flóvin