[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Openvpn Failover configuration


  • Subject: Re: [Openvpn-users] Openvpn Failover configuration
  • From: Giancarlo Razzolini <linux-fan@xxxxxxxxxxx>
  • Date: Mon, 28 Aug 2006 10:27:51 -0300

Charles Duffy wrote:
> Giancarlo Razzolini wrote:
>> Just for an update. I've tested it on the weekend and it worked. Both as
>> a client or server. And both on windows and openbsd. CARP really rocks.
> 
> When you say "it worked" -- you mean the session key didn't need 
> renegotiation (and thus the ping-restart/keepalive timeout never came 
> into effect) during the switchover between servers -- such that a 
> running ping across the VPN during the test indicated continuous uptime?
> 
> Could you post the client logs (verb 3 or better) for the relevant time 
> period? I would be *very* surprised if they don't indicate a 
> renegotiation taking place.
> 
> 
> Unless you're in p2p mode, in which case OpenVPN is (effectively, much 
> closer to) stateless and this all makes sense.
> 
> 
> -------------------------------------------------------------------------
y?
> Get stuff done quickly with pre-integrated technology to make your job easier
imo
=121642
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

I cannot send the logs now, cause i used some vmware virtual machines to
test it and i don't have them near me now. But this is the setup i made:

____________				_____________
 Firewall 1 --Crossover Cable--Pfsync--	Firewall 2
____________				_____________
      |					      |
      |	__________CARP Virtual IP_____________|
			|
			|
		------------------
		 OpenVPN Server or
		     Client
		------------------

As you can see, as far as the OpenVPN server(or client, it does not
matter) is aware, there is only one gateway machine in front of it. If i
used more than one server behind the carp routers, with round robin of
them, of course that renegotiations would be seem. But, with just one
server, if one of the firewalls goes down, them nothing happens. But on
this setup, they don't. Also, if i was using carp on the openvpn servers
directly, renegotiations would take place also. So, using carp direct on
the openvpn servers isn't a good ideia. But also, with some clever nfs
exporting and sharing, i guess it can be achieved. I can retake the
tests and can also send some videos(vmware rocks).

My regards,
-- 
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Get stuff done quickly with pre-integrated technology to make your job easier
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users