I will check the GreenBow settings. And I'm connecting to the CARP IP.
The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up)
Thank you for the hint concerning "prefer older SAs"
I know that the IPsec traffic cannot be filtered but I still don't understand the following line in the IPsec logs
racoon: INFO: Update the generated policy : 192.168.1.34/32 192.168.2.0/24 proto=any dir=in
I am also getting this problem, it would seem that the rules are not being generated and applied properly for on the fly (road warrior) connections. Since "static" vpn's have the subnets etc setup from the get go I'm not surprised that they work with no error.
I have tried :-
TauVPN 0.36 0.36 0.40
The Green Bow 2.5.1.008
and all result in the same error in the ipsec logs.
Sadly I'm poking arround on the cmd line is my limit (and i could not find ipsec.conf to "setkey" it).