> On 18 Apr 2017, at 03:54, Bob Jones > <r.a.n.d.o.m.d.e.v.4+openbsdm...@gmail.com> wrote: > > Hi, > > Looking at the docs, unlike pfsync, sasyncd and everything else, you > seem to be unable to define a "different" interface to CARP for the > purposes of monitoring. Everything seems to need to go over the one > carpdev. > > My question arises is because I have a couple of OpenBSD units due to > be plugged into upstream router ports (direct patch, not via > intermediate switch). > > Obviously for most things, OSPF and BGP will take care of redundancy. > But for the purposes of VPN failover, I would like to use CARP on my > "external" interfaces, but as far as my interpretation of the docs go, > CARP protocol won't work over Layer 3 ?
that's correct. > Could someone provide further insight into whether my interpretation > is correct, and whether I have any other options available ? I don't > really want to go adding a layer 2 switch on my side because that just > introduces extra point of failure. off the top of my head, you have two paths you could take. firstly, you could advertise the vpn service as the same ip addresses bound to loopback (lo(4)) interfaces on each of the hosts. ie, a cheap and cheerful anycast setup. bgp as your routing protocol should work well for this if you're interested in an active/passive setup. the second option could be to set up a l2 medium between your hosts, specifically, you can set up etherip tunnels between them and land your carp interface on that. just some ideas. cheers, dlg
