Hi All
Thanks for your feedback.
The guy regarding the cisco is a CCIE so I tend to accept his statements
quick enough..
In VPN, I am referencing it in general terms in the creation of a private
network over a public network of course. I would go with MPLS or another
technology, however again, not 100% failsafe.
Their application is a thick app which has allowances for network drops,
however, the data is a real-time life and death type of solution in that
they are a security monitoring company with multiple sites to which access
data in 1 location. This is what I must ensure stays up because staff must
be able to handle the alarms..
Roughly 1 million alarms a day go through this network, thus, any outage can
result in dropped alarms.. Our solutions in both facilities also offer some
allowances for drops by caching an alarm until network return, however
applications failures are also bad in this case.
At first, I was looking at BGP, and in the past have used it, but with
convergence time on a net down situation, it doesn't come close to the time
required.
Personally, I think any solution that can rebuild in 10-30 seconds is a very
solid solution. If they are not happy with that, I could recommend a very
expensive alternative but that won't fly.
Stuart, do you know of some sources I should review on your mentioned idea.
I am also looking at multi-segmenting the locations systems and having their
applications account for loss to failover to the second IP.
fun little project, very small to almost nil budget is the challange.
Cheers
James
----- Original Message -----
From: "Stuart Henderson" <s...@spacehopper.org>
To: <misc@openbsd.org>
Sent: Friday, May 29, 2009 7:37 PM
Subject: Re: multilink VPN
On 2009-05-29, Toni Mueller <openbsd-m...@oeko.net> wrote:
On Wed, 27.05.2009 at 22:07:25 -0300, James Mackinnon
<jmackin...@devantec.com> wrote:
I need to setup redundant VPN's between these locations without the use
of
BGP.
I have used sasync in the past, pfsync etc however, I have not tried to
setup
a VPN where 2 ISPs are used without the ISPs setup with BGP. Because
BGP
convergance can take a bit of time, and the network in this case not
being
able to drop for 1 second, I need to determine what option is best.
I heavily doubt that you'll be able to keep the network up at all
times because even CARP failover will take longer than one second.
OSPF over gre's or gif's (which can then themselves be protected by
ipsec) is probably the fastest option at present on OpenBSD. You're
restricted to the lowest value you can set router-dead-time to; with
very aggressive timers (which are likely to cause problems with
false drops) that's 2 seconds. 3-4 seconds (with hellos at a second)
is more realistic for fast recovery over ethernet or some good quality
pseudowire circuit. Not sure exactly what you mean by "VPN" as it's not
a well defined term but you should look at that carefully. e.g. Rekeying
can be a little on the slow side, you want to avoid this happening
on both connections at the same time.
I strongly suspect that if you really want to force less than 1 seconds
of downtime even in the case of error, then you need to swap IP for a
real high-reliability type of connection like telcos use in their long
hauls (eg. SDH).
BFD can be quite quick.
In some parts of the world these better types of connection are simply
not available.
If you're used to what's available in Europe (1Gb ethernet-presented
private circuit over about 15 miles for GBP21K/year?) you will find the
situation in some places absolutely unbelievable.
