On 2012-12-15, Henry Stilmack <[email protected]> wrote: > On 12/14/2012 03:27 PM, Beto wrote: >> Hi, SiteB and Sitec have OpenBSD Firewall ? >> >> The vpn is firewall to firewall, the manage of network is only route add >> xxx xx >> >> > I'm not sure what SiteB and SiteC are running - I think either Juniper > or Cisco somethings. > > What works for now is to bring up only one of the tunnels and set up > flows for each of the remote subnets through it. We'd like to be able to > do this dynamically, but if we bring up both tunnels, how can we set the > routing priorities for the flows?
OpenBSD IPsec uses a flow database which doesn't support multiple priorities. (OpenBSD doesn't support interface-based IPsec as some some router vendors do, only flow-based). What should work would be to use a standard tunnel interface for your actual lan-to-lan tunnel e.g. gre(4) - in this case you would only setup IPsec to protect the GRE packets between the endpoints (IPsec would have no knowledge of the lan subnets). Then you can use either a dynamic routing protocol e.g. OSPF, or you can use multiple route table entries with different priorities - OpenBSD 4.8 added support for the cisco style loopback method of doing GRE keepalives which is likely to be simpler than a full dynamic routing protocol; if the primary tunnel fails, keepalives stop being returned, after a timeout this brings down the interface and thus invalidates the associated route, allowing the lower priority backup route to be used instead.
