From: Darwin, S. <da...@th...> - 2007-10-03 13:56:41
|
Ok, let me see if this sounds right. At the remote office, I could run a script every five minutes, pinging the two internet connections at the central office. If the first internet connection goes down, I can kill the old tunnel and re-establish a tunnel to the second internet connection. I am using three files for ipsec configuration: /etc/racoon/psk.txt /etc/racoon/racoon.conf /etc/setkey.conf I think that the policies are mostly determined with the setkey, and its "setkey -f /etc/setkey.conf" that will have to be run, in this case, to create a new policy to the the second connection. It is my impression that the contents of psk.txt and racoon.conf can remain stable during the failover actions. It is only setkey that must be re-run. Do you agree? Now - to deal with the central office. =20 1. How do I make the central office a "responder only"? (What is the syntax in setkey.conf or racoon.conf, I mean.) 2. How will the central office handle the fail-over situation, when it must respond to a new ipsec tunnel, but perhaps it still mistakenly thinks that the old tunnel is still there. Must the central office run a script every five minutes too, to kill the old dead tunnel? It would be better not to re-establish tunnels every five minutes, for no reason. That is, if things are working, then leave them alone. -----Original Message----- From: ips...@li... [mailto:ips...@li...] On Behalf Of VANHULLEBUS Yvan Sent: Wednesday, October 03, 2007 3:56 AM To: ips...@li... Subject: Re: [Ipsec-tools-devel] Ipsec load balancing You have many problems.... First problem, the configuration on the central side. If your gate has direct public IP addresses, you get a first issue with SPD entries on the central side. This can be solved if you can set up your central site in responder only and generate policies dynamically. If your central gate has only one single private IP address and 2 default routers, that's not a problem. Then you'll have quite the same problem with your remote offices. The only solution I see is to force usage of one of the public IP addresses, then run a script which checks if that IP is reachable. If it's unreachable, the script will change SPD+racoon config. Having two SPD entries with the same subnets and different tunnel endpoints won't work at all, the first entry will always be matched. Yvan. |