****Thanks for the reply Charles. > > I'm running Eiger 1.5 (haven't had the time or need to go > to something > > newer - maybe I'll be forced to now!) with FreeS/WAN on a static > > wireless connection to my ISP. I've now been provided a second WAN > > connection via ADSL with another ISP. I would like to > combine them to > > share the load, but realistically I think this will be difficult to > > impossible with FreeS/WAN in the equation. Perhaps even without it. > > > > I think Charles was contemplating this idea a while back - > don't know > > if he came up with any solutions... > > Load-sharing gets ugly when using FreeS/WAN, which doesn't > currently use the kernel's routing tables. This means all > the nifty new tricks you can do with the newer advanced > kernel routing features just doesn't work when running > FreeS/WAN on the same box. You can still do some interesting > things, but you'll probably have to have multiple boxes to > get FreeS/WAN load-sharing. NOTE: You can mix load-sharing > for general internet services and FreeS/WAN on the same box, > there's just no way I know of to load-share a VPN link > running FreeS/WAN on the actual gateway system hooked to your > upstream links...FreeS/WAN just doesn't have the routing flexability.
**** I had wondered if this would be the case a month back when you first made some comments about advanced routing. I could add a second box between the WAN and the firewall to do the routing. Presumably this would satisfy FreeS/WAN as it seems to need to know only the nexthop - which would be this new router. If the new box did some form of load sharing, it would presumably default to the live connection if one died. Does load sharing typically work by port or destination IP? i.e., is it possible that some of the IPSec packets could go out one WAN port and others out the second WAN port? Would this cause confusion on the other end when everything is re-assembled? > > So, given that load sharing might be too difficult, I > thought I would > > simply add the second IP to eth0, as the ADSL is to be > static. Oops, > > just found out they assign the 'static' address with dhcp! So, the > > question becomes... Can or how do I tell eth0 to get a 'dynamic' > > address, but also use a static second address? In > conversations with > > the local linux people, the suggestion was to assign the > dhcp address > > first, then alias the static one afterward. The reverse seemed > > unreasonable (?). > > Um...do you really have both upstream gateways tied to the > same ethernet port on your firewall? Normally, this would be > a bad thing. Depending on the type of wireless access point > you've got, you may even be spewing your DSL traffic out your > wireless link, chewing up your bandwidth. **** I think I have this covered (and I don't have the DSL live yet, so nothing is plugged in right now!) as I have a linksys 4 port cable/dsl router between the firewall and the wireless connection. I actually have a /29 subnet of public IP's in between the firewall and linksys router, with a single public IP (different network) on the outside of the linksys router. This was done to allow the VPN to work, as we share the connection with another company - and will share the DSL also, if I can make it all mesh. Presumably the linksys unit will only pass the packets destined for the wireless network. If the DSL was plugged into the switch, the data passing should not be routed out the WAN port of the router - but to the DSL modem instead. Or am I screwed up? > > Any comments as to what/how to edit to achieve this? I can change > > FreeS/WAN manually if need be, when the 'default' connection fails. > > ??? Just configure FreeS/WAN to use your static IP, which > will send VPN data out your ADSL line. Or just use > %defaultroute in your FreeS/WAN configs, and it will track > your current IP setup (or at least the IP setup in place when > you start FreeS/WAN...it won't track changes if your IP > changes, you'll have to svi ipsec restart). > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) **** Does it make the most sense to put a second box into the equation??? Brock _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
