On Thu, May 12 2016 at 47:18, Info wrote: > Hello, this is my first post on OpenBSD, so do not riddle me, please... Hello,
Welcome to the lists. > I have one infrastructure with one tunnel IPSEC. This works ok, but I think I > can duplicate the transfers. My topology is like this: > > * One ADSL 20Mb on Site A > * Two ADSL 10Mb on Site B > * Consists on one OpenBSD by site, attached the router directly > > I need share Network A with Network B with ipsec like now, but > balanced/failovered. I search solutions and found 3 methods, but I'm not sure > which use and this seems a little complicated: > > * CARP (I haven't two server by site) > * PF (with ipsec i'm lost) > * ifstated (I dont know nothing of this) > > I will send my topology graphically on attachment (it will read with system > or fixed font). I implemented solutions like that in the past. The easier method with IPSEC is using encapsulation. I tried two different setups: gif(4)+ifstated and gif(4)+OSPF The latter is simpler to maintain, and for us scaled over 50 sites. With just 2 sites, you can use gre(4) encapsulation instead of gif and use gre keepalives instead of setting up ospfd. We didn't use that solution because GRE keepalives are not implemented on Linux and we needed interoperability. Basically, you create 2 ipsec tunnels between A and your 2 pub IP addresses on B. Then you setup 2 GRE tunnels above IPSEC. On site A, you configure 2 routes with different weights to access your network on B. Do the same on site B. In case of failure, the primary GRE tunnel will go down (because of missing keepalives).Your BSD boxes will disable the 1st GRE tunnel interface and use the 2nd route entry available. > # 20.0.0.0 > ######## # --- ###### > ## ## # 10Mb |DSL|--------\ ## ## > ######## # --- | ###### > ## ## # / | ## ## > ## ## 20Mb ########## / |.2 ###### > --- .2 --- .1 # #----------/ --- > |BSD|-------|DSL|------------# INET # |BSD|--- > --- --- # #----------\ --- \ > | ########## \ |.2 | > | 10.0.0.0 # \ | --- > --- # --- | NET > NET # 10Mb |DSL|--------/ --- > --- # --- 101.0.0.0 > 100.0.0.0 # 21.0.0.0 Best regards, Claer
