On Fri, Jan 22, 2010 at 12:41 AM, Arthur Corliss
<acorliss@nevaeh-linux.org> wrote:
>
> FYI: =A0As long as you're relying your your black-boxed router you can't
> guarantee that your two VPNs will be on separate connections. =A0Not unle=
ss
> you're going to guarantee that *all* other traffic ceases during the time
> you set up the connections. =A0If you can get two different IPs for each =
VPN
> termination in the data center, you may be able to set preferred paths fo=
r
> each using static routes, though. =A0That would solve that problem.
Agreed, it is good to have a box on the edge so that you can run the
tunnels with interface/IP binding to make outbound route selection
proper. However if you have a black-boxed router that allows multiple
WAN interface as well as DNAT/SNAT to internal hosts from any of the
WAN you can set up multiple internal IPs on your tunnel server and
bind specifically to those two addresses.
10.0.0.55:ports <-> 209.112.112.196:ports
10.0.0.56:ports <-> 66.7.8.21:ports
I've had to do this in the past. It wasn't that practical but it got
the job done.
> Let me know if you get this to work. =A0I do bonding all the time, but I'=
ve
> never tried it over pppd connections. =A0Miimon support is usually
> required in the base driver you're bonding for link detection.
I use arp based/protocol based link state detection depending on the
bonding method. You typically don't need MII if your OpenVPN tunnel
devices (non-persistent) suddenly don't exist (thanks to the internal
ping timeout settings of the OpenVPN tunnel)
> Personally, after what Shane said about the multilink stuff I'd think it
> would be easier to automate non-persistent connections setup/tear-down th=
an
> bonding. =A0I'd seriously consider exploring that avenue first.
Bonding can be made non-persistent as long as you don't mind a little
packet loss during when you remove/add slaves to the bond interface.
BTW the /sys/ access to the bonding interface is amazingly cool if
you've ever wanted to use the bonding module without setting up module
parameters. Debians ifenslave adds some wonderful post/pre scripts to
ifupdown that uses it.
And ML-PPP is completely non-persistent.
So where to now folks?
- Shane
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jan 22 09:10:17 2010
This archive was generated by hypermail 2.1.8 : Fri Jan 22 2010 - 09:10:17 AKST