IPSec VPN High Availability VIP

We have a pair of Balance 305’s in an HA setup. We need to make an IPSec VPN connection to a 3rd party (CheckPoint firewall on their site we think). The issue is they see our traffic to them coming from the public IP of the active master unit and not the Virtual IP (VIP). So then they have to configure their side to use the actual public IP of the master rather than the VIP which of course means a failover kills the tunnel.

We’re still testing but this seems to only be an issue with the primary WAN that is also in Drop-In Mode. For a secondary WAN connection, the VIP seems to always be used. I’m now thinking this may be expected in Drop-In mode but wasn’t sure so I thought I’d ask. Is there a way to force the outbound traffic to use the VIP for that IPSec tunnel connection?



It is expected to terminate the IPSec VPN with the master device physical IP address. Master’s IP address will be replicated to the slave when the HA failover. So, IPSec VPN will be re-established when failover happens.