On Tue, Sep 20 2011 at 24:18, Dora Pa wrote: > Hi list, Hi, > Recently I have installed openbsd routers at our six locations. > All of these boxes have two internet connections from two different > ISPs and are connected via IPSsec with each other. > Currently I'm using the one of the two internet uplinks as the > endpoint for the VPN. This has the disadvantage that the VPN > goes down if the internet connection of the IPSec uplink fails. Is > there a way to fail over to the second inetnetlink or even better > use both ISP uplink as a tunnel endpoint. > > I've thought about creating a tunnel from both internetuplinks to each > uplink but this > generates a lot of tunnels and I'm not sure if this best way to do this. > > Is there any advice / best pratice on how to establish a IPSec tunnel > failover over two different ISP connections? Here we use gif+ospf over IPSEC to manage fail over. It's working well for us. For the redundancy part, the rule we follow is to not think about double breakdown scenarii. We manage to survive only one fail link at a time. Monitoring + solving problem should be OK before another link fail. This way, the complexity on the central site is only 2 tunnels per site and not 4.
Claer
