* wan links routing failover sheme
@ 2008-03-06 2:37 Daniel
2008-03-07 5:41 ` Grant Taylor
0 siblings, 1 reply; 2+ messages in thread
From: Daniel @ 2008-03-06 2:37 UTC (permalink / raw)
To: iptables-netfilter list
I need a routing failover scheme to address a vpn site-to-site scenario
where branches offices have 2 wan links and a linux box with 2 ethernet
ifaces, each one reaching one wan router. Wan links should working in
active/passive failover mode. Considering start vpn tunnels from branches to
headquarter, the problem is:
At each branch, I need to choose one of the 2 wan routers as the linux box
default gateway. For failover work, I need some mechanism to monitor the
active/master link, like icmp/ping, and change the gateway to the
passive/backup link when the active/master link fails, and change back when
the active/master link becomes up again. If I address this with a routing
scheme, the vpn on demand tunnel from branch to headquarter work transparent
above it.
On headquarter and on each branch I will use a linux box. I thinking in use
openvpn as vpn server and client (I have low know hall of openvpn), but
other vpn solutions, like ipsec, can be suggested! On branches, a fast and
cheap DSL link (should be the active/master link) and a realiable and slower
128kbps PPP link (should be the passive/backup link). Tunnels can be started
from any side, from headquarter or from branches, but I will consider start
tunnels from branches to headquarter for this scenario, I can change this
view, no problem.
Should iproute2 address such solution?
I ask about it in openvpn-users list, one people answer that he use linux
eql driver driver to form a logical connection and a little bit of scripting
to continuously monitor the tunnels and add or remove them from the bundle
if needed.
As a comparision, as logn I know, Cisco solution use IPSLA as the monitoring
scheme and on the start vpn tunnel box a list of 2 vpn servers to reach (one
master and one backup), to address such failover environment.
I will appreciate ny sugestions!
Regards,
Daniel.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: wan links routing failover sheme
2008-03-06 2:37 wan links routing failover sheme Daniel
@ 2008-03-07 5:41 ` Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2008-03-07 5:41 UTC (permalink / raw)
To: Mail List - Netfilter
On 3/5/2008 8:37 PM, Daniel wrote:
> I need a routing failover scheme to address a vpn site-to-site
> scenario where branches offices have 2 wan links and a linux box with
> 2 ethernet ifaces, each one reaching one wan router. Wan links should
> working in active/passive failover mode.
First and foremost what you are wanting to do is complicated at best.
However I think that it will be doable in the end.
How much and what of the equipment will you have full administrative
control over?
> At each branch, I need to choose one of the 2 wan routers as the
> linux box default gateway. For failover work, I need some mechanism
> to monitor the active/master link, like icmp/ping, and change the
> gateway to the passive/backup link when the active/master link fails,
> and change back when the active/master link becomes up again. If I
> address this with a routing scheme, the vpn on demand tunnel from
> branch to headquarter work transparent above it.
You will need to use some sort of monitoring that tests from your Linux
router to the Linux (concentrator) router at the headquarters. I don't
think you can safely rely on link level failures. Consider what will
happen if you have a bridging ADSL modem that has lost ADSL signal yet
still has ethernet link to your Linux box. The Linux box has no way to
know that an intermediary link is down and thus the path is down.
I suppose you could find an ADSL modem that will take down the ethernet
link when the ADSL link goes down, but now you are getting in to a more
esoteric situation and specialized hardware that is not commodity and
thus difficult to deal with as far as spares goes. In short, stick with
something that will monitor the end to end path.
> On headquarter and on each branch I will use a linux box. I thinking
> in use openvpn as vpn server and client (I have low know hall of
> openvpn), but other vpn solutions, like ipsec, can be suggested! On
> branches, a fast and cheap DSL link (should be the active/master
> link) and a realiable and slower 128kbps PPP link (should be the
> passive/backup link). Tunnels can be started from any side, from
> headquarter or from branches, but I will consider start tunnels from
> branches to headquarter for this scenario, I can change this view, no
> problem.
I don't think that the type of VPN solution is all that important yet in
this stage of the game. It sounds like you still have a lot of things
up in the air that need to be worked out.
Is the PPP link always on (slower broadband) or is it billed based on
usage? Are we really talking about a 128 kb ISDN line?
> Should iproute2 address such solution?
IPRoute2 is not *the* solution despite it most likely being *part* of
the solution. IPRoute2 is a tool, just like IPTables is a tool.
IPRoute2 allows you to alter how the Linux box routes packets, it is up
to you to tell the Linux box how to route.
> I ask about it in openvpn-users list, one people answer that he use
> linux eql driver driver to form a logical connection and a little bit
> of scripting to continuously monitor the tunnels and add or remove
> them from the bundle if needed.
I don't think you will want to use the eql driver. To my knowledge, the
eql driver will want to try to equally use both links at the same time,
which you have indicated that you want an active/passive not
active/active solution. Or if you are not billed based on usage on the
128 kb connection, would you like to use it as additional bandwidth in
an active/active solution?
> As a comparision, as logn I know, Cisco solution use IPSLA as the
> monitoring scheme and on the start vpn tunnel box a list of 2 vpn
> servers to reach (one master and one backup), to address such
> failover environment.
>
> I will appreciate ny sugestions!
I think you are indeed talking about having two VPNs from each branch
office to the central office. If you can have both VPNs up at the same
time (local_ext_ip_1 <-> remote_ext_ip_1 and local_ext_ip_2 <->
remote_ext_ip_2) and you can route through either of them, you should be
able to use a routing protocol for each end to be able to advertise to
the other end what routes it has. If you use the proper routing
protocol it will monitor the routes for you (by looking for route
advertisements and / or hellos). Thus if the monitoring indicates that
the path is down, the routing protocol will remove the routes that were
known via that path.
I have successfully used OSPF on Cisco routers to do this with two SDSL
lines. Other than a delay in changes when one line went down or up,
things worked out very well.
Grant. . . .
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-03-07 5:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-06 2:37 wan links routing failover sheme Daniel
2008-03-07 5:41 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox