[Openswan Users] Backup routing
Greg Scott
GregScott at InfraSupportEtc.com
Wed Apr 30 23:56:41 EDT 2008
> When the primary telco route goes down, do this:
> ipsec auto --add my-connection
> ipsec auto --up my-connection
>
> Keep monitoring, and when the primary route comes back alive, do this:
> ipsec auto --delete my-connection
> ip route add (telco route)
Aw nuts, this won't work. I can set this up on the left side and it
behaves exactly as planned - but the right side still thinks the tunnel
is up and running. So the right side will keep trying to route through
the tunnel, even though the left side got rid of it.
I suppose the right side could monitor the left, just like each branch
on the left is monitoring the right. But then the right side will need
to know the topology out to every single branch site. It gets worse
because this is an MPLS network, so the backup router on the right side
will need routes through the MPLS cloud to poll the primary router on
the left side. This would require a zillion special routes.
Another way to do it would be to have some kind of interprocess
communication, with a script on the left side communicating with a
daemon on the right side. Then each side could coordinate starting and
stopping the tunnels.
But yuck - what a can of worms!
Now I see why the suggestion was to use GRE over IPSEC. Looking at page
250 of "Building and Integrating Virtual Private Networks with
Openswan", it looks straightforward enough to setup a GRE over IPSEC
tunnel.
But here is the problem with GRE over IPSEC.
I do these commands on both sides and, poof, now I have a GRE tunnel.
Great! But I also have a primary path using the primary routers already
in place. Somehow, both left and right need to know when the primary
path is down so they can set the route via the backup path. But now the
tricky part - both left and right need to know when the primary path
comes back, so they can give up the tunnel route. The only way I can
think of to do this is, poll the outside of the primary router on each
side. So now we're back to knowing a bunch of topology again.
What about a routing protocol such as OSPF or BGP? The Openswan book
mentions this - but the problems here are, (1) I don't have much control
over the primary routers so setting a routing protocol on them is not
really and option, and (2) I don't know enough about implementing OSPF
and/or BGP yet and I have a limited time to get something up and
running.
So it's time for plan B. I'm going to use OpenVPN for the backup
routing. OpenVPN just seems more suited for this kind of routing. I
can trigger everything I need from the left side without putting
together anything sophisticated on the right side.
- Greg
More information about the Users
mailing list