On 12/08/05, Stoyan Genov <[EMAIL PROTECTED]> wrote:
> Good day,
>
> Short version:
>
> Any hints/ideas on setting up a fail-over of an isakmpd-maintained VPN
> connection through a secondary internet line when the primary internet
> line fails, where an autonomous system of IP addresses is not an option?
> Hardware on both sides is i386, OS is obsd/3.7.
>
> Long version:
>
> In my office, I have two internet connections, I1 and I2, through two
> different ISPs, ISP1 and ISP2; I1 and I2 use different IP ranges; AS and
> routers are out of the question, unfortunately, as is the possibility of
> routing ISP1's IP range through I2 and vice-versa.
>
> I have two firewall/gateway machines, F1 and F2; each of them has one
> interface "attached" to one internet connection, one interface to the
> other internet connection, and a third interface for the local network.
> F1 and F2 run obsd3.7/i386.
>
> Default route for F1 is I1; default route for F2 is I2 (this is the
> current setup, and it is subject to change if needed; the idea is to
> allow people in the LAN manually change their LAN gateway to go
> through I2 if something goes wrong with F1 or I1)
>
> I have a "remote" LAN, let's call it RL, and a VPN connection between
> F1 and RL via I1; it's a "routed" connection, not a "bridged" one,
> if that matters (that is, the local and the remote LANs are different
> IP networks, and no broadcasts are exchanged). The gateway there also
> runs obsd3.7/i386, and I have full control over it.
>
> I want to be able to automatically re-build the VPN connection via I2
> if I1 goes down, using isakmpd if possible (would "fall back" to
> openvpn, if I can't do it with isakmpd). I would also like to keep the
> ability of people to manually choose their way to the internet through
> I2, but if not possible, I am ready to introduce a third firewall with a
> default route of I2 just doing NAT for this purpose.
>
> Any ideas and hints will be appretiated.
>
Use dynamic routing.
Set ipip (gif) tunnels between your firewalls, encrypt them with
isakampd, run bgpd so your firewalls(routers) learn where the networks
are.
Should one path go down, the bgp session will go down and your network
will re-route.
/Tony
--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
-= The scorpion replied,
"I couldn't help it, it's my nature" =-
