Hi
all,
My first question in
a very very long time.. ;)
I have 2 firewalls
which are soon to be running HAlinux. Both external interfaces are eth1 on both
machines and running a 10.10.10.1 and 10.10.10.2 for each firewall for
HAlinux.
When HAlinux starts
up, the scripts add the external IP to the main firewall (FWa) using iproute2 so
eth1 will always be the external device/IP...
HA-Linux
v-- aa.bb.cc.dd --v
10.10.10.1 10.10.10.2
---------- ----------
|
FWa | | FWb |
---------- ----------
The 2 firewalls use
the same config files/firewall scripts..etc.etc..so for the iptables script
to work, firewallb looks at eth1 using a script and gets the last IP added
to the interface as we don't want it to firewall based on the 10.10.10.X
addresses assigned for HAlinux...
The script below
grabs the correct IP of aa.bb.cc.dd from firewalla and firewallb (when fallover
occurs). And all rules work with the "-d $EXTIP" being
used..
getipfromdevice()
{
DEV="$1"
DEVIP=`ip addr show dev $DEV | grep "inet" |tail -1 |awk {'print $2'} | cut -f1 -d "/"`
echo "$DEVIP"
}
{
DEV="$1"
DEVIP=`ip addr show dev $DEV | grep "inet" |tail -1 |awk {'print $2'} | cut -f1 -d "/"`
echo "$DEVIP"
}
EXTDEV=eth1
EXTIP=getipfromdevice $EXTDEV
Now my main
problem..
IPSEC has to be told
which interface to use for the VPN.
I use
"interface=eth1" and it grabs 10.10.10.X which isn't correct and you can't
tell ipsec to use another IP on the interface(AFAIK).
I found ipsec
works with "interface=eth1:1" but then the firewall scripts are a muck.. I
prefer not to use aliasing if possible...
any other ideas
or best solution??
Thanks,
George Vieira.
