Hello all, I need a very simple routing protocol for VPN redundancy. We have several sites and each site has a Linux router and two IPCops each with an ADSL connection to the internet using different ISP''s. I have configured VPN''s between all of the sites for each IPcop on ispA and the same for the IPCops on ispB. This way, if one of the ISP fails, I change the route on the router and my VPN''s continue to function over the other ISP. This is a very simple saftey but it works well and its pretty cheep. But I''m getting sick of changing the routes by hand and wonder if there is any way of automating the failover. What I was thinking of is maybe a script/utility that I could configure to ping a host on a remote lan and if I started to loose to many packets or it got too slow or failed it would change the route automatically. Has any one ever written a script or know of a utility that can do that? Cheers Simon.
Simon Chang wrote:> > Hello all, > > I need a very simple routing protocol for VPN redundancy. > > We have several sites and each site has a Linux router and two IPCops each > with an ADSL connection to the internet using different ISP''s. > > I have configured VPN''s between all of the sites for each IPcop on ispA and > the same for the IPCops on ispB. This way, if one of the ISP fails, I change > the route on the router and my VPN''s continue to function over the other > ISP. > > This is a very simple saftey but it works well and its pretty cheep. But I''m > getting sick of changing the routes by hand and wonder if there is any way > of automating the failover. > > What I was thinking of is maybe a script/utility that I could configure to > ping a host on a remote lan and if I started to loose to many packets or it > got too slow or failed it would change the route automatically. > > Has any one ever written a script or know of a utility that can do that? > > Cheers Simon.I know nothing of VPNs, but I can tell you that Julian Anastasov has written patches for the Linux kernel called Dead Gateway Detection. Maybe that will do what you want. http://www.ssi.bg/~ja/ http://www.ssi.bg/~ja/dgd.txt http://www.ssi.bg/~ja/dgd-usage.txt http://www.ssi.bg/~ja/nano.txt You can have a look at what I''m running at work at: http://andthatsjazz.org:8/lartc/rc.nano1 and there are examples and links here: http://andthatsjazz.org:8/lartc/index.html Although I''ve only caught it happening once, when the ISP on eth2 went down that outage was not even noticed by users. I used to have 3 (very flakey) connections here at home, and I wrote a script that had a Linux box at work ping each one. When there were too many unanswered pings, a message was sent (to a working IP) saying which one was down. If the connection was restored, a different flag was sent. At home, I monitored a special directory for a flag file and changed the routing to stop trying the bad connection (or to use a revived one) depending on what flag file was there. The scripts were pretty trivial to write, and they worked (often!). -- gypsy
I think you can also take a look to linux HA : http://linux-ha.org/ The here a plugin called ipfail : http://pheared.net/devel/c/ipfail/ who works on the principle of Heartbeat. Good luck Erwan Le Doeuff ************************************************************ Project Manager of rcc project QoS HTB Power tool http://www.rcc-project.net ************************************************************ On Tue, 15 Mar 2005 20:23:54 -0800, gypsy <gypsy@iswest.com> wrote:> Simon Chang wrote: > > > > Hello all, > > > > I need a very simple routing protocol for VPN redundancy. > > > > We have several sites and each site has a Linux router and two IPCops each > > with an ADSL connection to the internet using different ISP''s. > > > > I have configured VPN''s between all of the sites for each IPcop on ispA and > > the same for the IPCops on ispB. This way, if one of the ISP fails, I change > > the route on the router and my VPN''s continue to function over the other > > ISP. > > > > This is a very simple saftey but it works well and its pretty cheep. But I''m > > getting sick of changing the routes by hand and wonder if there is any way > > of automating the failover. > > > > What I was thinking of is maybe a script/utility that I could configure to > > ping a host on a remote lan and if I started to loose to many packets or it > > got too slow or failed it would change the route automatically. > > > > Has any one ever written a script or know of a utility that can do that? > > > > Cheers Simon. > > I know nothing of VPNs, but I can tell you that Julian Anastasov has > written patches for the Linux kernel called Dead Gateway Detection. > Maybe that will do what you want. > http://www.ssi.bg/~ja/ > http://www.ssi.bg/~ja/dgd.txt > http://www.ssi.bg/~ja/dgd-usage.txt > http://www.ssi.bg/~ja/nano.txt > > You can have a look at what I''m running at work at: > http://andthatsjazz.org:8/lartc/rc.nano1 > and there are examples and links here: > http://andthatsjazz.org:8/lartc/index.html > > Although I''ve only caught it happening once, when the ISP on eth2 went > down that outage was not even noticed by users. > > I used to have 3 (very flakey) connections here at home, and I wrote a > script that had a Linux box at work ping each one. When there were too > many unanswered pings, a message was sent (to a working IP) saying which > one was down. If the connection was restored, a different flag was > sent. At home, I monitored a special directory for a flag file and > changed the routing to stop trying the bad connection (or to use a > revived one) depending on what flag file was there. > > The scripts were pretty trivial to write, and they worked (often!). > -- > gypsy > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
alben benavente alteza
2005-Apr-01 08:52 UTC
Re: simple routing protocol for VPN redundancy?
A simple script can do that. do a ping 4 times and if you do have less than 3 reply then switch it to another ISP. Put the script in your crontab say check every 1 minute. I am also doing that. heartbeat is more on redundancy or gateway which in the case of your primary gateway down the backup gateway will take over. On Wednesday 16 March 2005 13:36, erwan le doeuff wrote:> I think you can also take a look to linux HA : http://linux-ha.org/ > The here a plugin called ipfail : http://pheared.net/devel/c/ipfail/ > who works on the principle of Heartbeat. > > > Good luck > > > Erwan Le Doeuff > ************************************************************ > Project Manager of rcc project QoS HTB Power tool > http://www.rcc-project.net > ************************************************************ > > On Tue, 15 Mar 2005 20:23:54 -0800, gypsy <gypsy@iswest.com> wrote: > > Simon Chang wrote: > > > Hello all, > > > > > > I need a very simple routing protocol for VPN redundancy. > > > > > > We have several sites and each site has a Linux router and two IPCops > > > each with an ADSL connection to the internet using different ISP''s. > > > > > > I have configured VPN''s between all of the sites for each IPcop on ispA > > > and the same for the IPCops on ispB. This way, if one of the ISP fails, > > > I change the route on the router and my VPN''s continue to function over > > > the other ISP. > > > > > > This is a very simple saftey but it works well and its pretty cheep. > > > But I''m getting sick of changing the routes by hand and wonder if there > > > is any way of automating the failover. > > > > > > What I was thinking of is maybe a script/utility that I could > > > configure to ping a host on a remote lan and if I started to loose to > > > many packets or it got too slow or failed it would change the route > > > automatically. > > > > > > Has any one ever written a script or know of a utility that can do > > > that? > > > > > > Cheers Simon. > > > > I know nothing of VPNs, but I can tell you that Julian Anastasov has > > written patches for the Linux kernel called Dead Gateway Detection. > > Maybe that will do what you want. > > http://www.ssi.bg/~ja/ > > http://www.ssi.bg/~ja/dgd.txt > > http://www.ssi.bg/~ja/dgd-usage.txt > > http://www.ssi.bg/~ja/nano.txt > > > > You can have a look at what I''m running at work at: > > http://andthatsjazz.org:8/lartc/rc.nano1 > > and there are examples and links here: > > http://andthatsjazz.org:8/lartc/index.html > > > > Although I''ve only caught it happening once, when the ISP on eth2 went > > down that outage was not even noticed by users. > > > > I used to have 3 (very flakey) connections here at home, and I wrote a > > script that had a Linux box at work ping each one. When there were too > > many unanswered pings, a message was sent (to a working IP) saying which > > one was down. If the connection was restored, a different flag was > > sent. At home, I monitored a special directory for a flag file and > > changed the routing to stop trying the bad connection (or to use a > > revived one) depending on what flag file was there. > > > > The scripts were pretty trivial to write, and they worked (often!). > > -- > > gypsy > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Alben Benavente Alteza Information Systems Security and Internet Services Administration Information Systems Department / Philippine Airlines
I''m going to start a load balancing & failover VPN over multiple providers. It means we can not just have high availability tunnel but also utilize the bandwidth of all providers. It''ll be a part of newly started linux multihoming project Is there any developer interested to join ? Simon Chang wrote: Hello all, I need a very simple routing protocol for VPN redundancy. We have several sites and each site has a Linux router and two IPCops each with an ADSL connection to the internet using different ISP''s. I have configured VPN''s between all of the sites for each IPcop on ispA and the same for the IPCops on ispB. This way, if one of the ISP fails, I change the route on the router and my VPN''s continue to function over the other ISP. This is a very simple saftey but it works well and its pretty cheep. But I''m getting sick of changing the routes by hand and wonder if there is any way of automating the failover. What I was thinking of is maybe a script/utility that I could configure to ping a host on a remote lan and if I started to loose to many packets or it got too slow or failed it would change the route automatically. Has any one ever written a script or know of a utility that can do that? Cheers Simon. --===============1516197775=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============1516197775==--