Hi,
On Wed, 27.05.2009 at 22:07:25 -0300, James Mackinnon <[email protected]>
wrote:
> I need to setup redundant VPN's between these locations without the use of
> BGP.
> I have used sasync in the past, pfsync etc however, I have not tried to setup
> a VPN where 2 ISPs are used without the ISPs setup with BGP. Because BGP
> convergance can take a bit of time, and the network in this case not being
> able to drop for 1 second, I need to determine what option is best.
I heavily doubt that you'll be able to keep the network up at all
times because even CARP failover will take longer than one second.
> I have spoke with a cisco guy today and they can do multilink VPN's on cisco
> for this,
Did he actually tell you how they make sure that there'll be no
downtime of even one second? Was the explanation technically sound?
How about error conditions in the Internet, between your sites?
FWIW, I've configured semi-"multilink" VPN in the past (before the
"CARP age"), with this kind of setup:
LAN1 --- FW{1,2} --- Internet --- FW{3,4} --- LAN2
with
LAN1, FW1, FW2: my end
FW3, FW4, LAN2: other end (not accessible to me)
Manually switching between FW1 and FW2 usually took on the order of
8-15 seconds.
The other side switched between FW3 and FW4 at their leisure, w/o
telling anyone.
The idea to configure this with isakmpd.conf was to have both peers
configured on both of your firewalls, and then add as many IPSEC
connections so that you cover all connection pairs.
That way, you can access LAN2 from LAN1 regardless whether FW3 or FW4
is operational. In my setup, one of the tunnels simply vanished and the
other appeared, if the other side switched their firewalls.
Now, if you can detect your conditions under which you want to fail
over to the other firewall (eg. fiber cut), it should be easy to
cook up a script and fire it on such an event.
But you won't get away without any downtime, and if you find out how to
do this on the IP level, I'm interested to hear about it.
I strongly suspect that if you really want to force less than 1 seconds
of downtime even in the case of error, then you need to swap IP for a
real high-reliability type of connection like telcos use in their long
hauls (eg. SDH).
But if you can weed out duplicate packets, you might be able to create
some magic with bridging and move all packets over both links all the
time, dropping one half at the receiving end(s). But this is only a
shot in the dark - I don't know how to do this.
I'm curious about what kind of application you have that does not
tolerate 1 second of downtime?
If someone has an idea about how to configure this with ipsec.conf, I'm
eager to hear.
Kind regards,
--Toni++
