Am Montag, den 04.08.2014, 20:36 +0000 schrieb Peter van Oord van der
Vlies:
> Does anyone know a way to built a setup when remote IPSEC endpoint got a
> failover setup on the IPSEC side ? On cisco IOS it's possible to configure
> multiple peers, when a peer dies it will try the other on the list.
>
> Anyone tried to fix this when the remote end is a cisco IOS device and other
> side is openbsd box ?
If you want the OpenBSD side to be redundant, use CARP and sasyncd.
On the OpenBSD side you may use CARP and sasyncd. The OpenBSD boxes
will look like only one machine to the Cisco, and there is no need
even to enable this fallback feature on the Cisco.
If you want the Ciscos to be redundant, you have multiple options.
I do not know enough of Cisco to be able to tell you whether or not
one may cluster their routers/VPN gateways. But you have multiple
options to emulate the fallback behaviour that you described above.
1) Just configure two tunnels, to both Cisco gateways. Give one route(8)
-priority, or use a dynamic routing protocol.
2) You may use ifstated or similar to monitor the gateways and tunnels
and switch over, when indicated.
3) What you probably can do on the Cisco, which kind of emulates a
CARP w/o sasyncd setup is, to configure the VPN on a VRRP interface.
The disadvantage of the last setup is, that you will need both peers to
notice that the tunnel is broken and to re-establish it. So please be
sure to enable DPD (IKE1)/liveness checks (IKE2)/keepalives (Cisco).
Cheers
David
--
David Dahlberg
Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany | Fax: +49-228-856277
