hi all. i have two sites connected by a slow mpls connection, each having faster connections to the internet. both are viewed as untrusted, so site-to-site traffic flowing over either mpls or internet needs to be encrypted.
1) my minimum requirement at this point is for an encrypted connection over mpls, with an encrypted connection over internet as failover. i know it seems backwards, but since the mpls connection is "guaranteed bandwidth" management prefers it over the internet connection. 2) my optimum setup would be to use both connections in order to improve bandwidth, and having the connection simply get slower if one of the links goes down. i've already implemented ipsec tunnels in openbsd so i favor that method, but am willing to go with openvpn if it proves to be more beneficial. i am inexperienced with the rest of the equation, so have plenty of questions and am in need of guidance. in order to achieve #1, it seems that i might be able to create two ipsec tunnels, one mpls and one internet, and route traffic across them via ospf. is that right? any pointers/corrections there? in order to achieve #2 ... could i create two ipsec tunnels and trunk them? or could i create some kind of unencrypted tunnel over each link, trunk them, and run ipsec on the trunk? if trunking is even possible in either of these situations, how do i best utilize the links (they are different speeds)? i believe i understand the purpose and rough workings of ospf/bgp/etc but have no experience with them or with the gif/gre/tun devices. suggestions/pointers/links/howtos will be greatly appreciated.
