thr3ads.net - Shorewall users - Problem with Load Balancing / Failover with multiple ISPs and VPN connections to several branches [Apr 2010]

If this information is useful, please help other people find it:
Share via:

Koch, Andre

2010-Apr-07 16:52 UTC

Problem with Load Balancing / Failover with multiple ISPs and VPN connections to several branches

Hello,

i have problems to set up shorewall with multiple branches connected
over vpn to one headquarter.
each branch has two wan connections, one for citrix traffic and the
other line for web, etc (the headquarter has as well two wan
connections).
so, i have set up two vpn tunnels for each branch to the headquarter.
there we have two systems with strongswan/shorewall and another system
with shorewall which routes / load balances vpn traffic.

Chart:

Branches                              Headquarter

+--+------vpn1b1------>vpn1hq                    +------+
|B1|                                  <---WAN1---|vpn1hq|
+--+------vpn2b1------>vpn2hq
+------+<----->+--------+
 
|balancer|
                                                                |
|
+--+------vpn1b2------>vpn1hq
+------+<----->+--------+
|B2|                                  <---WAN2---|vpn2hq|
+--+------vpn2b2------>vpn2hq                    +------+

... 
              
+--+------vpn1bx------>vpn1hq
|Bx|
+--+------vpn2bx------>vpn2hq

So, i configured the two wan connections of the headquarter in the
providers file.
With lsm, the failover routing works on balancer, but only for the two
wan connections.
what about the branches? if a vpn tunnel breaks, the balancer dont
recognize this.
so, i decided to reconfigure the providers file and lsm with all vpn
connections to the branches.
but, if vpn2b1 breaks, shorewall routes ALL traffic over vpn1hq,
although wan2 is still working...

The base configuration was the example MyNetwork:
http://www.shorewall.net/MyNetwork.html

how can i detect, if a vpn tunnel to a branch breaks and reroute the
traffic over vpn1hq or vpn2hq?
the goal is, failover in worst case for branches / headquarter and in
normal case load balancing / traffic shaping.


kind regards,
Andre

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Tom Eastep

2010-Apr-08 18:47 UTC

head link

Re: Problem with Load Balancing / Failover with multiple ISPs and VPN connections to several branches

Koch, Andre wrote:> Hello,
> 
> i have problems to set up shorewall with multiple branches connected
> over vpn to one headquarter.
> each branch has two wan connections, one for citrix traffic and the
> other line for web, etc (the headquarter has as well two wan
> connections).
> so, i have set up two vpn tunnels for each branch to the headquarter.
> there we have two systems with strongswan/shorewall and another system
> with shorewall which routes / load balances vpn traffic.
> 
> Chart:
> 
> Branches                              Headquarter
> 
> +--+------vpn1b1------>vpn1hq                    +------+
> |B1|                                  <---WAN1---|vpn1hq|
> +--+------vpn2b1------>vpn2hq
> +------+<----->+--------+
>  
> |balancer|
>                                                                 |
> |
> +--+------vpn1b2------>vpn1hq
> +------+<----->+--------+
> |B2|                                  <---WAN2---|vpn2hq|
> +--+------vpn2b2------>vpn2hq                    +------+
> 
> ... 
>               
> +--+------vpn1bx------>vpn1hq
> |Bx|
> +--+------vpn2bx------>vpn2hq
> 
> So, i configured the two wan connections of the headquarter in the
> providers file.
> With lsm, the failover routing works on balancer, but only for the two
> wan connections.
> what about the branches? if a vpn tunnel breaks, the balancer dont
> recognize this.
> so, i decided to reconfigure the providers file and lsm with all vpn
> connections to the branches.
> but, if vpn2b1 breaks, shorewall routes ALL traffic over vpn1hq,
> although wan2 is still working...
> 
> The base configuration was the example MyNetwork:
> http://www.shorewall.net/MyNetwork.html
> 
> how can i detect, if a vpn tunnel to a branch breaks and reroute the
> traffic over vpn1hq or vpn2hq?
> the goal is, failover in worst case for branches / headquarter and in
> normal case load balancing / traffic shaping.
Don''t make the VPNs providers but simply define them to LSM.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Shorewall users - Apr 2010 - Problem with Load Balancing / Failover with multiple ISPs and VPN connections to several branches

Problem with Load Balancing / Failover with multiple ISPs and VPN connections to several branches

Re: Problem with Load Balancing / Failover with multiple ISPs and VPN connections to several branches