[Openswan Users] Redundant routing

Paul Wouters paul at xelerance.com
Mon Jun 29 00:56:28 EDT 2009


On Mon, 29 Jun 2009, Anthony wrote:

> Now I've been given some suggestions on link failover/uniqueids etc. etc., I have another issue.
> 
> Site 1 has VPN tunnels between itself and Sites 2 and 3 as do the other sites with one another..
> 
> Site 1 fails over to NAT'd link.. reinitiates tunnels..
> Site 2 fails over to NAT'd link.. attempts to reinitiate tunnels..
> Sites 1 and 2 have no direct visibility of one another anymore.. Site 1 may not even know Site 2 has failed over
> yet if it's within rekeying time..
> Site 3 still has a public IP and Sites 1 and 2 have tunnels open to it..
> 
> Can Site 3 act as a router to pass packets bound for Site 2's range from Site 1's range?
> 
> Ie. No one site is designated "more reliable" than another..

You can, but you can only bring up the tunnels for the crashed site when it
is down, because otherwise the ipsec stack has two policies to send a packet
to two different destinations, and it does not know which one to use. There
is no "metric" like with routing.

So in such a case, running GRE over ipsec with a routing protocol (eg OSPF)
might be better.

Paul


More information about the Users mailing list