Re: VPN route failover

Fri, 14 Dec 2012 17:42:05 -0800 

On 12/14/2012 03:34 PM, Beto wrote:
> I understand a little more, and siteC siteB handle the same firewall ? or
> are separate firewall?
> 
No, they are at two completely different locations, but both feed into
the same internal network(s)

              /SiteB\
SiteA--------/       \-----Protected subnets
             \       /
              \SiteC/
>    
> 2012/12/14 Henry Stilmack <[email protected]>
> 
>> On 12/14/2012 03:27 PM, Beto wrote:
>>> Hi, SiteB and Sitec have OpenBSD Firewall ?
>>>
>>> The vpn is firewall to firewall, the manage of network is only route add
>>> xxx xx
>>>
>>>
>> I'm not sure what SiteB and SiteC are running - I think either Juniper
>> or Cisco somethings.
>>
>> What works for now is to bring up only one of the tunnels and set up
>> flows for each of the remote subnets through it. We'd like to be able to
>> do this dynamically, but if we bring up both tunnels, how can we set the
>> routing priorities for the flows?
>>
>> Thanks
>>
>>
>>>
>>>
>>> 2012/12/14 Henry Stilmack <[email protected]>
>>>
>>>> Running OpenBSD 4.5 (I know, I should upgrade it), with isakmpd and
>> ipsec.
>>>>
>>>> Here's what I want to do:
>>>>
>>>>          |----------|==================SiteB)
>>>> SiteA ---| Firewall |   VPN Tunnels         )---multiple subnets
>>>>          |----------|==================SiteC)
>>>>
>>>> In words:
>>>>
>>>> I have a site in the US with an OpenBSD 4.5 firewall. It has one
>>>> connection to the Internet via a University LAN. We have set up IPsec
>>>> tunnels to 2 UK sites, which each act as VPN gateways to multiple
>>>> subnets. We want to have failover between the tunnels, but we want the
>>>> primary routes for the subnets to be configured through the "closest"
>>>> gateway.
>>>>
>>>> I've seen lots of discussion on how to do failover if you have multiple
>>>> external connections, but basically we are trying to set up failover if
>>>> one of the remote endpoints goes down, and to route the subnets on the
>>>> remote end dynamically.
>>>>
>>>> Is this even possible?
>>>>
>>>> --
>>>> Henry Stilmack <[email protected]> Systems Administrator
>>>> UK/Canada/Netherlands Joint Astronomy Centre   Tel: +1 808-969-6530
>>>> 660 N. A'ohoku Place, Hilo, HI 96720           Fax: +1 808-961-6516
>>>> GPG key: ID=70E73E16 Signature=133F14E79A8AE9858F38 3BA8BF2D914A70E73E16

Reply via email to