From: Darwin, S. <da...@th...> - 2007-10-18 14:40:05
|
=20 I have discovered how to make the failover scenario work. Thanks for all your help. Central Office has two internet connections. Remote office has one internet connection. How to failover with ipsec, if central office loses one connection. 1. Set up central office as responder only. This is done with "passive on" command in racoon.conf in the remote section. 2. Set up remote office with two setkey.conf files. Setkey1.conf and Setkey2.conf. Design these files so that setkey1.conf uses one central office IP address and setkey2.conf uses the other central office IP address. 3. At boot, only use setkey1.conf. (for example.) Ignore the other file. Only one tunnel will be on at any time. 4. Create a cron job to run every five minutes. This will call a script you must write. The script should do the following: Ping across the tunnel. If the ping fails, the tunnel is down. Therefore... Run the alternate setkey script. This will set up the alternate tunnel. Regarding keepalives: Turn them off at central office. Turn them on at remote office. =20 During _failover_, the script should also kill and restart racoon. I didn't exactly think that would be necessary, but it appears to be. Not a big deal. Overall, this solution seems to work fine so far. Best Regards, Sam Darwin |