IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] bridge+ipsec+firewall redundant network topology - help :)

From: Ken Bantoft (ken_at_networkoverlord.com)
Date: Wed Jul 03 2002 - 13:05:04 CEST

Jon,

My method of doing this seems to be alot simpler, and much less hardware.

At my head office, I have 2 boxes w/IPtables, Zebra, Free/Swan and
Linux-HA installed. Each of these boxs has 2 (or in my case, 5)
interfaces. Linux-HA's Heartbeat takes care of IP address takeover, and
restarts FreeS/Wan when this happens. Zebra takes care of making both
boxes routeing happy, and even injects all the routes via OSPF into my
internal LAN.

> On the remote gateway, i thought it would be simple. Set up 2 tunnels,
> and run zebra to do OSPF dynamic routing on them. If one went down,
> zebra would detect it and start using the other one.

<snip>

> > When a routing is attempted for a connection, there must not already
> > be a routing for a different connection with the same subnet but
> > different interface or destination, or if there is, it must not be
> > being used by an IPsec SA. Otherwise the attempt will fail
>
> And sure enough, it does:
>
> [root_at_router /etc]# ipsec auto --up routernet-to-bridgenet
> 104 "routernet-to-bridgenet" #3: STATE_MAIN_I1: initiate
> 106 "routernet-to-bridgenet" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "routernet-to-bridgenet" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "routernet-to-bridgenet" #3: STATE_MAIN_I4: ISAKMP SA established
> 112 "routernet-to-bridgenet" #4: STATE_QUICK_I1: initiate
> 003 "routernet-to-bridgenet" #4: cannot install eroute -- it is in use
> for "routernet-to-bridge2net" #2
> 032 "routernet-to-bridgenet" #4: STATE_QUICK_I1: internal error
>
> While composing this, i realized that even if i get around that, there
> might be another problem....zebra probably cannot choose between
> eroutes, only regular routes.

I haven't been able to make this work, since you have 2 tunnels to the
same destination network... which FreeS/Wan (afaik) currently doesn't
support. You could maybe trick it if you can super-net your block
(ie: use 192.168.0.0/25 and 192.168.0.0/24) but that leaves the problem of
"how do I *know* one tunnel is "down"" ?

>
> So. Now i guess my question is: does this give you experienced users or
> the develpers any ideas on how to set up some redundancy?
>
> Anyway, any ideas/insights/help would be appreciated :)
>
> Jon Erdman
>
> Progressive Practice, Inc.
> http://www.progressivepractice.com/
>

Fell free to harass me for more details - I don't have a diagram yet, but
after meeting all the FreeS/Wan folks last week @ OLS, they've sort of
convinced me that maybe I should whip up a HA-Free/Swan HowTo or something
similar, since this is quickly becoming a FAQ. 

-- 
Ken Bantoft			One Unix to rule them all, One Resolver to find them,
ken_at_networkoverlord.com		One IP to bring them all, and in the zone, bind them.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST