Provide redundant VPN tunnels using m0n0wall|
Posted February 10, 2006
I haven't done this yet, but I'd like to. If you have money to spend on this problem, call me.
You have one main office and five remote offices. Each office has an ADSL internet connection. Computers in the remote offices need to connect to a server at the main office. The server needs to connect to print servers at the remote offices. You buy some VPN routers and everything works.
The only problem is that the ADSL connection stops working sometimes. You order cable internet at each office, to use as a backup. You buy some routers from a vendor (perhaps Cisco, SonicWall, Symantec, or Juniper) who promise that their VPN tunnels will automatically switch to the second ISP when the first ISP isn't working.
Unfortunately, the vendor has never been able to make this work. When ADSL fails, the VPN tunnels stop working.
Each office has three routers.
Router 1 (m0n0wall) uses the ADSL connection to provide internet access and to establish VPN tunnels to the other routers.
Router 2 (m0n0wall) uses the cable internet connection to provide internet access and to establish VPN tunnels to the other routers.
Router 3 (a m0n0wall derivative) continuously tests Router 1 and Router 2 by sending packets through their VPN tunnels to each of the remote subnets. Router 3 maintains its routing table according to which subnets can be reached by Router 1 and which can be reached by Router 2.
Router 3 continuously tests Router 1 and Router 2 for internet connectivity, and adjusts its routing table accordingly.
Devices on the LAN use Router 3 as their default gateway.
A WRAP-based m0n0wall router can be built for under $300 Canadian. The total hardware cost for six offices is under $6000. There are no licensing costs.
What if ADSL is down at the main office, and cable is down at one of the remote offices? Will remote Router 1 establish a tunnel with main Router 2? If so, when the remote Router 2 comes back up, will the main Router 2 get confused because two authenticated endpoints are fighting for a tunnel for the same subnet?