Good day,
Short version:
Any hints/ideas on setting up a fail-over of an isakmpd-maintained VPN
connection through a secondary internet line when the primary internet
line fails, where an autonomous system of IP addresses is not an option?
Hardware on both sides is i386, OS is obsd/3.7.
Long version:
In my office, I have two internet connections, I1 and I2, through two
different ISPs, ISP1 and ISP2; I1 and I2 use different IP ranges; AS and
routers are out of the question, unfortunately, as is the possibility of
routing ISP1's IP range through I2 and vice-versa.
I have two firewall/gateway machines, F1 and F2; each of them has one
interface "attached" to one internet connection, one interface to the
other internet connection, and a third interface for the local network.
F1 and F2 run obsd3.7/i386.
Default route for F1 is I1; default route for F2 is I2 (this is the
current setup, and it is subject to change if needed; the idea is to
allow people in the LAN manually change their LAN gateway to go
through I2 if something goes wrong with F1 or I1)
I have a "remote" LAN, let's call it RL, and a VPN connection between
F1 and RL via I1; it's a "routed" connection, not a "bridged" one,
if that matters (that is, the local and the remote LANs are different
IP networks, and no broadcasts are exchanged). The gateway there also
runs obsd3.7/i386, and I have full control over it.
I want to be able to automatically re-build the VPN connection via I2
if I1 goes down, using isakmpd if possible (would "fall back" to
openvpn, if I can't do it with isakmpd). I would also like to keep the
ability of people to manually choose their way to the internet through
I2, but if not possible, I am ready to introduce a third firewall with a
default route of I2 just doing NAT for this purpose.
Any ideas and hints will be appretiated.
Regards,
Stoyan Genov
