In article <UT4Cm.19272$7G7.14220@kovat.provo.novell.com>, Marcel wrote:
> If I remove the slave, will the master contact the slave to remove the
> configuration?
No, not until you add the slave back into the site-site VPN member list.
It is the job of the master to read the site-site member configuration
and push that config to all the slaves. It is the job of the slave to
sit back and wait for the configuration data to be pushed to it, and then
act on that to connect to the master and any other slaves. The only
thing you do on the slave side is to tell it what to accept from the
master (subject name of the VPN cert and TRO of that cert's Certificate
Authority).
If you delete and redo a slave in the member list, the sequence is
supposed to happen like this:
1. Master sees member list change
2. Master pushes removal of slave to all VPN members (including that
slave)
3. All members quit trying to contact that slave, and the static routes
are removed that reference that slave's vpn tunnel address. (This part
is important, because I've never seen how to manually remove such routes.
I've definitely had cases where they mysteriously come back with ever
reinit on the slave side.)
Then you add back in a slave, and:
4. Master sees the change
5. Master pushes the VPN information (certificate subject name, tro for
cert, static route) to all the slaves, including the re-added one
6. Slave picks up its new config and begins to contact - or accept
contact from - master and other slaves. Static routes appear in all
slaves
7. NRM shows all slaves as configured and vpn up-to-date. (I've also seen
this get stuck at being configured, even though all the members are
configured and working fine).
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to
http://www.craigjconsulting.com ***
Re: procedure changing master vpn server ip
Threaded Mode
