I'm redoing our firewalls. at 3 sites. At each site have 1 dsl with a static ip and a cable modem. 2 of the cable modems are regular dhcp connections and the other uses a cisco cable modem that simulates a static ip. Goal : 1:Have redundant connections to internet that automatically deal with connection failures. 2: Redundant ipsec vpn links using freeswan that also deal with connection failures. At the moment I'm primarily working on the redundant connections to the internet but need to keep in mind the ipsec issues. I am trying out the example from the Nano-Howto by Christoph Simon at http://www.linuxvirtualserver.org/~julian/nano.txt Looks very promising but there are complications. In my test setup I'm doing both connection via cable modem. On one I set it up static from info from dhcpcd. On the other I'm routing through a linksys cable modem router. The "static" connection is just fine. Problem is with the the one going through the linksys router does not detect when the internet connection fails. I assume its because the routing is not aware of the real route out. I suspect I would have the same problem with the one going through the cisco cable modem. The nice thing about going through the linksys router is I can don't have to play with ipsec.conf and restarting ipsec as required Any suggestions?? I see a few possibilities: It looks like it may possible to use dhcpcd to do the dhcp but actually add the interface and routes with the ip command.. If that can be done it will require handling a lot of possible states particularly for freeswan. Use the linksys boxes and figure some way the test the routes. I'm not that really thrilled about the extra boxes but sure makes the ipsec config simpler. Anything else?? John
