Re: H/A

[Julian Gomez <kluivert@tm.net.my>]

On Tue, May 27, 2003 at 07:47:31AM +1000, George Vieira spoke thusly:
>LIVE IP=203.x.x.x
>FW1=10.1.1.1    FW2=10.1.1.1
>
>using iproute2 I add the live IP to FW1 which is the Master FW.
>
>ip add addr 203.x.x.x/28 dev eth0
>
>Then my firewall scripts find the dev IP using "ip addr show $EXTDEV" add
>then "tail -1" for so it grabs the last line of the list otherwise it
>finds 2 IP bounded to the 1 network card and the scripts go nuts.. See
>snippet of my iptables script below.

George,

You have not stated, exactly what failover scenarios does your setup work
for ? Ie,

[ internet link #1 ] +- [ firewall #1 ] -- +-------+
                     |                     | LAN1  |
	             |                     | LAN2  | 
[ internet link #2 ] +- [ firewall #2 ] -- +-------+

I was addressing something like the above. If firewall #1 goes down,
firewall #2 can take over, but it still requires that all state information
from firewall #1; be propogated to firewall #2. I am not taking into
account any load balancing requirements, pure failover. State info for both
iptables + their VPN setup. [*]

I don't understand how your unique IP addressing method will solve the
above, though your setup itself isn't very clear to me.

That said, the original poster didn't exactly state (IIRC) what sort of VPN
setup he is using (office <-> office), what exactly does he want
fail-over'ed, does he have dual Internet links and many many other bits of
information.

Take note, that even my ascii diagran above only caters for certain
failover scenarios.