[Openswan Users] Backup routing

Greg Scott GregScott at InfraSupportEtc.com
Tue Apr 29 13:57:47 EDT 2008 

> NETKEY grabs the packets before they get to be routed.

Yes!  That rings a bell.  That must have been why I ran into trouble
several months ago when I tried this.  Netkey grabbed the packets first,
so everything went thru the tunnel and not the T1.  It wasn't worth the
trouble to dig deeper at the time, but now I need to put something
together.  

My biggest beef with doing GRE over IPSEC is, it's yet another envelope
and I already run into MTU issues sometimes.  

I could poll the telco route and if the telco route is down, then fire
up the tunnel.  But if I start the tunnel from left --> right, then I
also need to tell the right side to start the tunnel from right--> left,
so that seems like a hassle - or do I?  I was never clear on this - if I
start a tunnel on the left side from left-->right, it it necessary to
also start a tunnel on the right side from right-->left?  I've just
always started the tunnels on both sides, but now with "dynamic"
tunnels, maybe this isn't necessary.  

I was also thinking about doing this one with OpenVPN.  

- Greg


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Benny Amorsen
Sent: Tuesday, April 29, 2008 7:36 AM
To: users at lists.openswan.org
Subject: Re: [Openswan Users] Backup routing

"Greg Scott" <GregScott at InfraSupportEtc.com> writes:

> I suppose I could just poll that telco router and maybe its partner 
> router on the other side, and if neither one answer, get rid of the 
> route and bring up the tunnel.

The easiest solution is to run GRE over the IPSEC tunnel and use your
favourite dynamic routing protocol.

Some vendors (Netscreen among others) are able to negotiate a 0.0.0.0/0
=> 0.0.0.0/0 tunnel and run routing protocols over that.
This is AFAIK not described in any RFC's, and it seems impossible to
achieve with NETKEY at least. NETKEY grabs the packets before they get
to be routed. KLIPS can possibly do it, but I haven't tried.


/Benny


_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list