I'm looking at the viability of creating a cluster of OpenBSD boxes
running CARP, pf and ipsec to create a firewall of sorts. The idea here
is to secure the communication of a legacy client application to a
server. Peoplesoft and Oracle are the applications.

I don't want to buy commercial gates for this.

How do you calculate the sizing of IPSEC tunnels? Can I create 20,000
tunnels on several OpenBSD boxes and use CARP and associated tools to
load balance and provide redundancy?

The next issue is: How can we plug it into an LDAP for the tunnel
authentications?

Thoughts, suggestions and advice are greatly appreciated.

Of course, any lessons learned would have a fun impact on the commercial
gates already installed elsewhere. :-)

Mario