On 2008-07-04, Sebastian Reitenbach <[EMAIL PROTECTED]> wrote: >> For a single TCP connection, you mean? I think that would either >> have to involve the ISP (though most won't touch this sort of thing), >> or a colo box and creative use of tunnels and multipath routing. > > yep, I'll have more or less a single connection. > Do I can setup two ipsec tunnels between two openbsd boxes, each one per DSL > line, any hint on how to get the routing working?
since we don't do RFC3884 (some may know this under the draft name, draft-touch-ipsec-vpn) I think you need to setup a pair of tunnels with gif(4) or gre(4), turn on the multipath routing sysctl, and either manually add -mpath routes over each tunnel to the same destination subnet, or look at running OSPF over the tunnels. those tunnels themselves can be protected with IPsec if wanted. watch for MTU problems; the MTU eyechart (a set of image files of different sizes to serve by HTTP) may be useful to test this. (OSPF needs multicast and I think I remember one of gif/gre not supporting that, though that may no longer be the case. so you will need to experiment and test). > Or two openvpn tunnels, between two openbsd boxes, and would it then be > possible to trunk tun0 and tun1 interface with loadbalance? I don't think you need to resort to OpenVPN... though there are a couple of scenarios it does something useful that can't be done with standard OpenBSD software, I don't think is one of them.
