All, With the dual-ISP support in the latest versions of Shorewall, is it also possible to setup dual-VPN with something like OpenVPN? If so, what are the high levels steps that would need to be completed? Aaron
> All, > > With the dual-ISP support in the latest versions of Shorewall, is it > also possible to setup dual-VPN with something like OpenVPN? If so, > what are the high levels steps that would need to be completed? > > Aaron >That is an interesting question, what do you mean by dual-vpn? 2 tunnels, from the same client, to each of the public ip addresses? Balancing accross both of the tunnels until one isp goes down, and then the remaining tunnel carries the load? Did a quick test for syntax: ip route add 10.5.0.20 scope global nexthop via 10.10.0.2 dev tun0 / weight 1 nexthop via 10.3.0.1 dev eth0 weight 1 results in: 10.5.0.20 nexthop via 10.10.0.2 dev tun0 weight 1 nexthop via 10.3.0.1 dev eth0 weight 1 It maybe possible, I haven''t found I needed this one yet. Jerry.
I installed a solution for a customer that includes an IPSEC host-to-host conection, a GRE tunnel on top of it, and ospfd/quagga to propagate routes. Basically Cisco''s recipe but on Linux. That, as a backup to a leased fiber link. I do have two problems, none specific to Shorewall, but maybe you can help me. First, i cant get ospfd to install routes coming from the gre tunnel with less priority than routes coming from the other link. Then, when traffic goes trough the GRE tunnel, some web pages on outside nets (not controlled by me) cease to be visible. Changing the GRE tunnels MTU changes the behavior, so I am fairly sure its a mtu discovery problem. Any hints? :) thanks. both sides use shorewall. I use shorewall dynamic zones when establishing the ipsec/gre tunnels and that part works well. -- Eduardo Kaftanski eduardo@linuxcenterla.com Red Hat Certified Engineer/Instructor/Examiner Gerente Ingenieria LinuxCenter S.A. Mariano Sanchez Fontecilla 310, 2do piso, Edificio Birmann24, Las Condes, Chile http://www.linuxcenterla.com +56-2-4834000
> > I installed a solution for a customer that includes an IPSEC > host-to-host conection, a GRE tunnel on top of it, and ospfd/quagga > to propagate routes. Basically Cisco''s recipe but on Linux. That, as > a backup to a leased fiber link. > > I do have two problems, none specific to Shorewall, but maybe you > can help me. > > First, i cant get ospfd to install routes coming from the gre tunnel > with less priority than routes coming from the other link. > > Then, when traffic goes trough the GRE tunnel, some web pages on outside > nets (not controlled by me) cease to be visible. Changing the GRE tunnels > MTU changes the behavior, so I am fairly sure its a mtu discovery > problem. > > Any hints? :) thanks. > > both sides use shorewall. I use shorewall dynamic zones when establishing > the ipsec/gre tunnels and that part works well. >Check out MSS CLAMPING section in the shorewall.conf file. The variable is CLAMPMSS Jerry
Reasonably Related Threads
- The Shorewall list server is back on line
- PBX integration call status-Calls do not show as connected
- Interco H323 : IPNx (from WTL) and *
- FreeBSD 4.9 losing mbufs!!!
- Bug#441249: Bug#441249: xen-hypervisor-3.0.3-1-i386-pae: "Problems using XEN when Quagga is running"