<BlessJah>
I need to provide ipsec to our infra in OVH
<BlessJah>
at the moment we have just one node with ipsec acting as a router, but SPOF did bite use few times already
<BlessJah>
I thought I'd have 3 VMs with routing, VRRP, IPsec, Firewall (yay! it's high time). Pleased with my experience with EdgeOS (the way config is handled is really nice) I looked into VyOS - unfortunately they're stuck with debian 6.0 (EOL), transition to 8.0 (which already hit oldstable).
<BlessJah>
I saw that NixOS has nat, keepalived (VRRP), libre/strongswan, firewall
<BlessJah>
is it, in your opinion, viable choice, or should I go with VyOS/pfSense or build something on top of debian?
<clever>
BlessJah: ive not done much with ipsec, ive only used openvpn and toxvpn
<cransom>
BlessJah: my last big project, i wanted to use nixos for a routing/firewalling/ipsec box that was connecting to AWS. vyos was basically trivial for redundant ipsec connections via route based tunnels and that functionalty doesn't exist in nixos yet.
<cransom>
big networking project, that is
<cransom>
the downside is yes, old and hardware support is lacking. but it does work
<BlessJah>
cransom: single router with redundant tunnels (dual wan failover style) or redundant routers providing same tunnel?
<cransom>
each router, redundant tunnels on each.
<cransom>
but that comes down to topology and what you are doing and how fancy you get.
<BlessJah>
I have one tunnel so VRRP is enough. Two actually but destinations are different so that still holds.
<cransom>
no vrrp/keepalived there. redundancy was via routing protocols and the switch down stream was the default route for the hosts.
<BlessJah>
routing as in rip/eigrp or something simplier
<cransom>
bgp
<BlessJah>
if the hosts talked bgp, then setup was more fancy than what I want to have
<cransom>
eigrp is cisco proprietary and rip is poor compared to bgp/ospf.
<cransom>
the switch did ospf. there was no need for that situation for end hosts to run a routing protocol.
<BlessJah>
I'm not sure it's what switch is supposed to do (or was it L3 swtich?)
<cransom>
layer 3 switch.
<BlessJah>
kk
<BlessJah>
anyway, my hosts are OVH dedicated boxes connected via vRack (virtual L2 switch) and VMs running on them
<BlessJah>
I'll try to configure 3 VMs with keepalived and ipsec, so in case box/vm dies or network partition happens, new router is elected as master (even if it'll be two of them)
* BlessJah
IHaveNoIdeaWhatImDoing.jpeg
<cransom>
remember to craft your iptables rules so that you aren't bitten by stateful firewalls
<BlessJah>
I'm okayish with restting connections, that's still a huge upgrade over node-01 terminating ipsec and serving as a router
<BlessJah>
retiring excel spreadsheet with routes to apply after cluster or node reboot will feel great
<cransom>
those aren't in start scripts?
<BlessJah>
honestly dunno, I know there is such document and I wasn't the one to reassemble cluster last outage