Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] bridge+ipsec+firewall redundant network topology - help :)

From: Fred Mobach (fred_at_mobach.nl)
Date: Wed Jul 03 2002 - 15:35:24 CEST

Next message: Tobias Leers: "[Users] AW: Bintec Configuration"
Previous message: Robert Klein: "Re: [Users] We dont want to compile! ;)"
In reply to: Jon Erdman: "[Users] bridge+ipsec+firewall redundant network topology - help :)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Jon,

Jon Erdman wrote:
>
> I'm trying to figure out a way to set up some redundancy in my freeswan
> network. I have lots of remote sites with tunnels to my servers at a
> colocation facility. If one of the remote machines goes down, it's not
> that big of a deal, it's one customer down. But if the ipsec gateway at
> the colo goes down, all the customers are down. As well as my company's
> mail, web, etc. that's bad. heh.

That's right, one of my relations had the same feeling ;-).

> This started out with trying to make the gateway at the colo be a bridge
> and firewall and ipsec gateway, because i don't have control over my
> routing there. Up to now i have been using the proxy_arp trick to get
> around that, but since im about to replace that one machine with 2 (so i
> can at least fail over by SSHing in and running a script on the second
> box to take over the IPs of the 1st and enable proxy_arp), i decided to
> look into bridging. Since "people" say proxy_arp is "bad".

We solved this problem with two Linux systems on which we implemented
Linux High-Availability (see http://linux-ha.org/). Both systems have of
course their own IP address on the network interfaces. For every network
interface the primary system start with the additional shared IP
address. At that time we made some small changes to the scripts to get a
faster switch-over in case of failure. In the end we had a H-A FreeS/WAN
solution running with a switch-over time of less than 7 seconds.

More information can be made available upon request as I don't have the
time to write a story.

Regards,

Fred

-- 
Fred Mobach - fred_at_mobach.nl - postmaster_at_mobach.nl
Systemhouse Mobach bv - The Netherlands - since 1976
website : http://fred.mobach.nl
Safe Harbour for encumbered Free and Open Source software and links:
http://apache.dataloss.nl/~fred/
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Tobias Leers: "[Users] AW: Bintec Configuration"
Previous message: Robert Klein: "Re: [Users] We dont want to compile! ;)"
In reply to: Jon Erdman: "[Users] bridge+ipsec+firewall redundant network topology - help :)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST