How Not to Break S2S Configurations for 3rd-Party Appliances
Novell Cool Solutions: Trench
By John Fuge
Digg This -
Posted: 4 Jan 2005
I have been working on several NBM 3.8.1 Site-to-Site configurations over the last several months, specifically BorderManager to Appliances. Configuring the devices and server is pretty easy to do. Making changes to the configurations, however, is not so easy to do. While setting up a site, we found that an ISP would continually give the wrong IP or subnet mask. We would have to go back into the site-to-site slave configuration and try to make modifications, without much success.
STOP! Don't do it. It seems that modifying the slave server's configuration can break the slaves' configuration entirely. If you do modify the server configuration, it may be impossibe to save the entire configuration after the changes are saved. I created them and deleted them several times, stopped and restarted services ... basically I tried everything. The slave would show up in iManager, but not in the call manager (at the server console, type "callmgr").
The IKE screen or log would state that the connection with that slave IP was being deleted or removed from the "vpninf". If I created another slave with the same or different name and another IP address, then it would show up in the call manager screen. NDS was clean and everything else seemed fine. The only option at that point was to delete the slave servers from the configuration, then delete the master server's configuration as well. Then I had to reboot the server and recreate the entire vpn setup from scratch.
(Note: Once the entire configuration was re-created a few times, it seems to take only a few minutes to complete that process. Just have all of your IP addresses, 3rd-party rules, and anything else you might need ready.)
To make a slave server modification, follow these steps:
- Delete the slave.
- Type stopvpn at the server console so that the vpn shuts down.
- Type startvpn at the server console to bring up the tunnel.
- Create the slave again.
- It all should come up clean. If it does not, then stop and restart the vpn again after the slave has been created - that should do the trick.
Note: Twice I had to reboot the server for the changes to take effect. If the slave disappears from the iManager screen after stopping and restarting the VPN, there is likely a corruption problem, so you should rebuild the VPN from scratch. I'm not sure whether SP2 fixes this issue, but I know SP1 did not.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com