On 2011-03-01, Claer <cl...@claer.hammock.fr> wrote: > On Tue, Mar 01 2011 at 30:03, Steve wrote: > >> Hi all, >> >> We have a high speed Internet link at a primary site that has had some >> stability issues. We would like to set up an adsl link as a backup to >> maintain >> the ipsec tunnels to the secondary sites if we have further issues. >> >> Currently clients at site B talk to servers at site A through Tunnel A. If >> tunnel A breaks we need them to talk through tunnel B. I was going to run >> multiple ipsec.conf files at the secondary sites and in the event of failure >> log in and tear down the tunnel A and fire up tunnel B.
I'd generally recommend trying to keep the ipsec config as straightforward as possible... > You setup permanently tunnels A and B, > you add gif over both tunnels, > then you run ospf on to of gif on both end points, assigning different weights > for the links. Yes this should work fine. Another option is to use gre(4) which (as of OpenBSD 4.8) supports keepalives directly, and add routes of different priorities over the primary and backup tunnel interfaces. There are advantages and disadvantages to both methods.
