On 2009-05-29, Toni Mueller <[email protected]> wrote: > On Wed, 27.05.2009 at 22:07:25 -0300, James Mackinnon > <[email protected]> wrote: >> I need to setup redundant VPN's between these locations without the use of >> BGP. > >> I have used sasync in the past, pfsync etc however, I have not tried to setup >> a VPN where 2 ISPs are used without the ISPs setup with BGP. Because BGP >> convergance can take a bit of time, and the network in this case not being >> able to drop for 1 second, I need to determine what option is best. > > I heavily doubt that you'll be able to keep the network up at all > times because even CARP failover will take longer than one second.
OSPF over gre's or gif's (which can then themselves be protected by ipsec) is probably the fastest option at present on OpenBSD. You're restricted to the lowest value you can set router-dead-time to; with very aggressive timers (which are likely to cause problems with false drops) that's 2 seconds. 3-4 seconds (with hellos at a second) is more realistic for fast recovery over ethernet or some good quality pseudowire circuit. Not sure exactly what you mean by "VPN" as it's not a well defined term but you should look at that carefully. e.g. Rekeying can be a little on the slow side, you want to avoid this happening on both connections at the same time. > I strongly suspect that if you really want to force less than 1 seconds > of downtime even in the case of error, then you need to swap IP for a > real high-reliability type of connection like telcos use in their long > hauls (eg. SDH). BFD can be quite quick. In some parts of the world these better types of connection are simply not available. If you're used to what's available in Europe (1Gb ethernet-presented private circuit over about 15 miles for GBP21K/year?) you will find the situation in some places absolutely unbelievable.
