Hello Stuart, Wednesday, August 6, 2014, 8:01:21 AM, you wrote:
SH> On 2014-08-05, David Dahlberg <[email protected]> wrote: >> I do not know enough of Cisco to be able to tell you whether or not >> one may cluster their routers/VPN gateways. But you have multiple >> options to emulate the fallback behaviour that you described above. >> >> 1) Just configure two tunnels, to both Cisco gateways. Give one route(8) >> -priority, or use a dynamic routing protocol. >> >> 2) You may use ifstated or similar to monitor the gateways and tunnels >> and switch over, when indicated. SH> Note that for these methods you'll need to use some explicit encapsulation SH> (for example, gif or gre) rather than using standard ipsec tunnels. On SH> OpenBSD IPsec is flow-based and there is no option for route-based like SH> various other vendors support. I couldn't directly manipulate IPSec related routing, but there is a way to do it indirectly. The "narrower" route takes priority, so you can slightly adjust one the tunnels. For example, if it goes from 192.168.1.0/24 to 10.0.0.0/8 you can make the primary one from 192.168.1.0/24 to 10.0.0.0/9 (and maybe the second primary to 10.128.0.0/9 if you really need it). Or you can make the secondary one from 192.168.0.0/23 to 10.0.0.0/8. If you make just two tunnels it will be redundant, but not very responsive to a lost connection, because tunnels don't check themselves very often (sometimes this is what you need). If you need something more responsive you can play with phase 2 lifetimes (not sure if this is a good idea) or have some watchdog process (ifstated?) to force phase 2 renegotiation if the connection is lost. -- Best regards, Boris mailto:[email protected]
