I have a client using freeswan on a central linux server with cisco 837 dsl
modem/routers at the remote end. The configuration is ipinip tunnels with freeswan
protecting the tunnel (protocol 4).
Currently there are about 8 tunnels but they're presently adding one or two a week and
i expect they'll get up to 20 or so.
The server is intel branded, but is a few years old and isn't covered by any form of
service agreement. In any case, they probably couldn't afford for it to go down for
any length of time so i'd like to add in some form of high availability/redundancy. My
preferences are, in order of least to most desirable:
1. cold standby server. If the main server melts, the backup is turned on and takes
over. Easily done.
2. hot(ish) standby server. using mac/ip address takeover it can automatically step in
in the case of an outage, although tunnels would need to be re-negotiated etc as all
the SA's would be on the broken server.
3. hot standby server. as above but keeps track of SA's as negotiated by the main
server so it can literally step in and take over without any loss of connectivity.
4. load balancing. as above but both servers are sharing the load. if one breaks the
other just steps in and takes the connections the broken one was serving. Possibly
scalable to >2 servers.
#3 & #4 would, i think, require a lot of work on the freeswan side of things. Can
anyone make any comment on #2? it sounds achievable given the current set of ha-linux
tools.
Anyone done this before?
thanks
(and please cc me if you reply, i'm not subscribed to the list and there appears to be
no August archives)
(i have tried subscribing a few times but it never worked)
James
