Hi there. I don't know whether this is the right forum, please excuse me if it is not (of course a pointer to the right one would be appreciated :)
I am experimenting with the VRRP implementation of VPN 3000 concentrator series, and it seems that when the "backup" unit takes over, no L2TP/IPsec tunnel can be established anymore.
When the switch takes place, the backup unit takes over VRRP group IP addresses, which on VPN 3000 are master's own IP address as well. Thus, the backup unit handles two different IP addresses, its own ad group's.
Well, what I have observed using a sniffer is that while IKE/IPSec packets are correctly sourced by the group address, L2TP packets are sourced by the backup unit's physical IP address, and travel clear-text instead of being encapsulated within IPSec packets. The client machine (a Windows 2000 PC) obviously discards the L2TP packets, and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, though.
The above does not happen when the master VPN 3000 is working, as the VRRP group addresses are the same as its own interface addresses.
Now, neither VPN 3000 documentation nor TAC documents explicity say that L2TP/IPSec and VRRP are incompatible, but they don't mention compatibility as well (while they do mention compatibility of VRRP with PPTP).
Is anyone more informed than me about the matter? Is there any technical reason for the incompatibility between L2TP with VRRP, or it is a bug of some sort?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...