I setup a 2 FW boxes in fail over fashion with 2 links.These are to be connected from outside via OpenVPN installed in the box. For SEVERAL reasons, only one OpenVPN must be up at time. Heartbeat takes care of this correctly. Notice the setup is Active/Active because some users uses FW1 to access the Net and others uses FW2 . But, in the machine OpenVPN is down I cannot do a "shorewall restart" after making some adjustments in the rules. --> ERROR: Unable to determine the routes through interface "tun0" There is an option in OpenVPN (persist-tun) to maintain the tunnel up but only during internal restarts of the tunnel itself. After "service openvpn stop" the TUN0: also vanishes. Is the a way to restart Shorewall ignoring the absence of TUN0 ? Thanks Guilsson ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Guilsson Gtalk wrote:> I setup a 2 FW boxes in fail over fashion with 2 links. > These are to be connected from outside via OpenVPN installed in the box. > For SEVERAL reasons, only one OpenVPN must be up at time. Heartbeat > takes care of this correctly. > Notice the setup is Active/Active because some users uses FW1 to access > the Net and others uses FW2 . > > But, in the machine OpenVPN is down I cannot do a "shorewall restart" > after making some adjustments in the rules. > --> ERROR: Unable to determine the routes through interface "tun0" > > There is an option in OpenVPN (persist-tun) to maintain the tunnel up > but only during internal restarts of the tunnel itself. > After "service openvpn stop" the TUN0: also vanishes. > > Is the a way to restart Shorewall ignoring the absence of TUN0 ?Yes -- in /etc/shorwall/masq, remove ''tun*'' from the SOURCE column and replace with the actual VPN subnet(s). -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Worked. Thanks a lot. On Thu, Oct 30, 2008 at 3:52 PM, Tom Eastep <teastep@shorewall.net> wrote:> Guilsson Gtalk wrote: > > I setup a 2 FW boxes in fail over fashion with 2 links. > > These are to be connected from outside via OpenVPN installed in the box. > > For SEVERAL reasons, only one OpenVPN must be up at time. Heartbeat > > takes care of this correctly. > > Notice the setup is Active/Active because some users uses FW1 to access > > the Net and others uses FW2 . > > > > But, in the machine OpenVPN is down I cannot do a "shorewall restart" > > after making some adjustments in the rules. > > --> ERROR: Unable to determine the routes through interface "tun0" > > > > There is an option in OpenVPN (persist-tun) to maintain the tunnel up > > but only during internal restarts of the tunnel itself. > > After "service openvpn stop" the TUN0: also vanishes. > > > > Is the a way to restart Shorewall ignoring the absence of TUN0 ? > > Yes -- in /etc/shorwall/masq, remove ''tun*'' from the SOURCE column and > replace with the actual VPN subnet(s). > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/