On Tue, Jun 07, 2005 at 12:34:06AM +0000, Ryan McBride wrote: > On Tue, Jun 07, 2005 at 01:06:53AM +0100, Stephen Marley wrote: > > Is there a way to make a pair of carp hosts to renegotiate with an > > existing ipsec peer when a new carp master is elected? I tried it once > > and it didn't work out. > > If the connection to the ipsec peer is not passive, you can use > ifstated(8) to tickle isakmpd when the carp status changes. > > But you probably want to look at sasyncd(8) and pfsync(4), and avoid the > need for renegotiation at all.
I've finally gotten around to trying out sasyncd, and so far it's been working fairly well. I can send a ping down an ipsec/gre tunnel to a pair of carp/sasync/pfsync hosts and it doesn't miss a beat as I failover from one endpoint to the other (by adjusting the advskew on one of them). However, after a while the failover stops working correctly, and traffic will only flow when a specific host is the master. Is this known behaviour with the code in its current state, or should I be looking at my configuration or reporting a problem? -- stephen
