It's been a long time but this is finally resolved, the approach which turned out to be most reasonable for us was client-server. One site has two servers of which only one is active at a time (this is being handled by scripts associated with keepalived - that's a complex issue but can be made to work), each server has the same ccd files for both clients containing unique IP addresses and common iroute statements for the subnets behind the clients. The other site has two clients of which only one will be active at a time. Both clients have both servers configured. This allows us to have either system at either end up and have a functioning point-to-point equivalent. I'm replying mainly to provide my experience to any one else who faces the same issue. Thanks for everyones input.
-----Original Message----- From: Jan Just Keijser <[email protected]> To: Leroy Tennison <[email protected]>; openvpn-users <[email protected]> Sent: Mon, Nov 12, 2018 4:43 am Subject: Re: [Openvpn-users] "Point to point" vpn fail over configuration Hi, On 09/11/18 23:05, Leroy Tennison wrote: I need to set up a "point to point" VPN between two sites, I use the term "point to point" loosely since the endpoint systems on each end aren't really a system but a fail over pair of systems. We had a true point-to-point connection but then setup a fail over pair of servers at "Site 1". When we failed over we couldn't get "Site 2" to reconnect. Our first obvious mistake was we didn't have an additional 'remote...' statement in the Site 2 configuration. We added that (one "remote..." for each Site 1 Internet address) and restarted openvpn. It reconnected. However, we then "failed back" at Site 1 and Site 2 did not reconnect, our experience is that Site 2 only reconnected if we restarted the Site 2 openvpn. It occurred to me later that possibly point-to-point configurations couldn't have more that one "remote..." statement but I don't know if that is true. your site 2 config is missing a keepalive 10 60 statement (or 10 120), while site 1 does have it. In client/server mode, the server pushes these keepalive settings to its client automatically, but in point-to-point mode nothing is pushed or pulled. The next phase of this project is to set up fail over systems at Site 1 so things are only going to get more complicated. I've listed the "sanitized" (changed IP addresses) configurations for Site 1 and Site 2 below for reference. I'm open to almost any suggestion. Thanks for the help. If you set up failover using multiple remote statements on both ends then there is the chance of a deadlock: site 2.a is trying to connect to site 1.a but site 1.a is down; in the mean time site 1.b is trying to connect to site 2.b which is also down. Site 2 then fails over to site 1.b but site 1 fails over to site 2.a , etc. Depending on the cost of your (internet) connections I'd use failover differently: if you have 2 servers at site 1 (1a + 1b) and 2 servers at site 2 (2a + 2b) I'd set up 4 continous connections: site 1a to site 2a site 1b to site 2a site 1a to site 2b site 1b to site 2b so that would be 4 separate openvpn configurations; I'd then routing and play with the routing metrics to ensure that the right routes are used/chosen (e.g. increase the routing metrics from top to bottom) HTH, JJK
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
