I've got a setup with a central VPN gateway running a couple dozen IPSEC tunnels to remote locations. All the gateways are running current, and use very simple ipsec.conf entries to set things up. Works beautifully.
ISPs are another matter. At two of the remotes, service is 'flaky' to say the least, and we lose connectivity due to network problems on a regular basis. Both sites have alternate ISPs available, but their service is also questionable (think mountaintop ski resort). I'd like to set up redundant connections to these two sites with automatic failover from ISP A (and all related IPSEC connections) to ISP B when A's network goes down, etc. I've found recommendations for using either GIF or GRE in the mailing list archives, but little on how to set it up or the relative advantages/disadvantages of these two proposals. It also seems that ifstated could be used to 'manually' insert/remove SAs and flows via ipsecctl. Does anyone have any thoughts as to which approach is preferable and the relative merits of each? -- Jeff Simmons jsimm...@goblin.punk.net
