----- Original Message ----- > From: "Jeff Simmons" <jsimm...@goblin.punk.net> > To: misc@openbsd.org > Sent: Monday, March 12, 2012 8:27:51 PM > Subject: Failover VPN tunnels > > I've got a setup with a central VPN gateway running a couple dozen > IPSEC > tunnels to remote locations. All the gateways are running current, > and use > very simple ipsec.conf entries to set things up. Works beautifully. > > ISPs are another matter. At two of the remotes, service is 'flaky' to > say the > least, and we lose connectivity due to network problems on a regular > basis. > Both sites have alternate ISPs available, but their service is also > questionable (think mountaintop ski resort). I'd like to set up > redundant > connections to these two sites with automatic failover from ISP A > (and all > related IPSEC connections) to ISP B when A's network goes down, etc. > > I've found recommendations for using either GIF or GRE in the mailing > list > archives, but little on how to set it up or the relative > advantages/disadvantages of these two proposals. It also seems that > ifstated > could be used to 'manually' insert/remove SAs and flows via ipsecctl. > Does > anyone have any thoughts as to which approach is preferable and the > relative > merits of each? > > -- > Jeff Simmons > jsimm...@goblin.punk.net
i have one customer with similar flaky isp issues ... i've satisfactorily handled it with a combination of separate ipsec tunnels and ospf. i'm not even using ifstated. i can provide an example if needed, but it is so simple i doubt you'd need to see it.
