On 3/5/2008 8:37 PM, Daniel wrote:
I need a routing failover scheme to address a vpn site-to-site
scenario where branches offices have 2 wan links and a linux box with
2 ethernet ifaces, each one reaching one wan router. Wan links should
working in active/passive failover mode.
First and foremost what you are wanting to do is complicated at best.
However I think that it will be doable in the end.
How much and what of the equipment will you have full administrative
control over?
At each branch, I need to choose one of the 2 wan routers as the
linux box default gateway. For failover work, I need some mechanism
to monitor the active/master link, like icmp/ping, and change the
gateway to the passive/backup link when the active/master link fails,
and change back when the active/master link becomes up again. If I
address this with a routing scheme, the vpn on demand tunnel from
branch to headquarter work transparent above it.
You will need to use some sort of monitoring that tests from your Linux
router to the Linux (concentrator) router at the headquarters. I don't
think you can safely rely on link level failures. Consider what will
happen if you have a bridging ADSL modem that has lost ADSL signal yet
still has ethernet link to your Linux box. The Linux box has no way to
know that an intermediary link is down and thus the path is down.
I suppose you could find an ADSL modem that will take down the ethernet
link when the ADSL link goes down, but now you are getting in to a more
esoteric situation and specialized hardware that is not commodity and
thus difficult to deal with as far as spares goes. In short, stick with
something that will monitor the end to end path.
On headquarter and on each branch I will use a linux box. I thinking
in use openvpn as vpn server and client (I have low know hall of
openvpn), but other vpn solutions, like ipsec, can be suggested! On
branches, a fast and cheap DSL link (should be the active/master
link) and a realiable and slower 128kbps PPP link (should be the
passive/backup link). Tunnels can be started from any side, from
headquarter or from branches, but I will consider start tunnels from
branches to headquarter for this scenario, I can change this view, no
problem.
I don't think that the type of VPN solution is all that important yet in
this stage of the game. It sounds like you still have a lot of things
up in the air that need to be worked out.
Is the PPP link always on (slower broadband) or is it billed based on
usage? Are we really talking about a 128 kb ISDN line?
Should iproute2 address such solution?
IPRoute2 is not *the* solution despite it most likely being *part* of
the solution. IPRoute2 is a tool, just like IPTables is a tool.
IPRoute2 allows you to alter how the Linux box routes packets, it is up
to you to tell the Linux box how to route.
I ask about it in openvpn-users list, one people answer that he use
linux eql driver driver to form a logical connection and a little bit
of scripting to continuously monitor the tunnels and add or remove
them from the bundle if needed.
I don't think you will want to use the eql driver. To my knowledge, the
eql driver will want to try to equally use both links at the same time,
which you have indicated that you want an active/passive not
active/active solution. Or if you are not billed based on usage on the
128 kb connection, would you like to use it as additional bandwidth in
an active/active solution?
As a comparision, as logn I know, Cisco solution use IPSLA as the
monitoring scheme and on the start vpn tunnel box a list of 2 vpn
servers to reach (one master and one backup), to address such
failover environment.
I will appreciate ny sugestions!
I think you are indeed talking about having two VPNs from each branch
office to the central office. If you can have both VPNs up at the same
time (local_ext_ip_1 <-> remote_ext_ip_1 and local_ext_ip_2 <->
remote_ext_ip_2) and you can route through either of them, you should be
able to use a routing protocol for each end to be able to advertise to
the other end what routes it has. If you use the proper routing
protocol it will monitor the routes for you (by looking for route
advertisements and / or hellos). Thus if the monitoring indicates that
the path is down, the routing protocol will remove the routes that were
known via that path.
I have successfully used OSPF on Cisco routers to do this with two SDSL
lines. Other than a delay in changes when one line went down or up,
things worked out very well.
Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
