From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-136709-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1SAI1I-0004bd-6c
	for garchives@archives.gentoo.org; Wed, 21 Mar 2012 09:39:52 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9FC0BE0A98;
	Wed, 21 Mar 2012 09:39:38 +0000 (UTC)
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id D2666E05D7
	for <gentoo-user@lists.gentoo.org>; Wed, 21 Mar 2012 09:37:50 +0000 (UTC)
Received: by werm13 with SMTP id m13so890362wer.40
        for <gentoo-user@lists.gentoo.org>; Wed, 21 Mar 2012 02:37:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:reply-to:to:subject:date:user-agent:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        bh=j08JZsk5zlRjlpAXAnku/7IM0VxKQIs15AebvmKcUb4=;
        b=hOHVKvMIo54bwRWJNqJ6f8EGtHSxxMQ/9hqezbqjOK0r1AvtNGJJ7sAD7aiMJs6But
         FmE71RKLWrPDLcc20hnbFNGIINzH4BWr0mj43B77zk9OeOHuu9ClUh5DbBmBtZVijgaV
         7NyaySwrsrK/vWQoPfW6zCRMg+MnKvkD2N3BsvVHJd9qPMeaKfQvMg0Bi7i6/+77fyGh
         WEIAKCjeprK2uOILsy7ipk0elQAjRq4jFEyfK+2GOcKYjZODT0nF8tZhTPb+8xK+DUQd
         skvL+YJdUGf6SljkViICoNykz4Ge4g2JFySLnzlc3uCApP6oA9XQUbKBJsfcXt+ocZAT
         TXUg==
Received: by 10.180.96.168 with SMTP id dt8mr7284423wib.18.1332322670007;
        Wed, 21 Mar 2012 02:37:50 -0700 (PDT)
Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230])
        by mx.google.com with ESMTPS id k6sm3162262wiy.7.2012.03.21.02.37.48
        (version=SSLv3 cipher=OTHER);
        Wed, 21 Mar 2012 02:37:49 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] PPP Tunnel using iproute2/tun interface
Date: Wed, 21 Mar 2012 09:37:51 +0000
User-Agent: KMail/1.13.7 (Linux/3.2.1-gentoo-r2; KDE/4.7.4; x86_64; ; )
References: <65496747.528.1332295503067.JavaMail.root@saya.mjhnosekai.com>
In-Reply-To: <65496747.528.1332295503067.JavaMail.root@saya.mjhnosekai.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart2059996.ppyAVWW9V5";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <201203210937.53599.michaelkintzios@gmail.com>
X-Archives-Salt: bf30b813-1814-4d77-9bec-c6bfaca10e53
X-Archives-Hash: 321a592efc3685449403871c0f4d2e27

--nextPart2059996.ppyAVWW9V5
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wednesday 21 Mar 2012 02:05:03 Michael J. Hill wrote:
> Hello,
>=20
> In testing, I have gotten this setup to work by manually completing the
> necessary steps; however, I am now looking to have everything completed
> automatically so as to ensure my setup persists over a reboot.
>=20
> Firstly, an outline of what I am doing:
> * I have a Gentoo VM running at home, functioning as my firewall/router,
> which works perfectly fine. * Said VM has established an IPSEC tunnel to a
> dedicated server using OpenSWAN. This also works perfectly fine. * A tun0
> interface is created on both devices, setting up an IPIP PPP tunnel that
> sits on top of the IPSEC tunnel. * Firewall and Routing rules are in place
> to perform policy-based routing over this tun0 interface. This again,
> works perfectly fine.
>=20
> For the rest, the following configuration is worth noting:
> * The dedicated server is running CentOS 6, not that this is of necessary
> import for this configuration. * 172.18.0.1 resides on the dedicated
> server.
> * 10.0.0.1 is the management IP of my Gentoo VM, and serves as its identi=
ty
> as well. * 172.18.1.0/24 is the network utilized for the tunnel, with
> 172.18.1.1 on the dedicated server, and 172.18.1.2 on the Gentoo VM.
>=20
> In effect, the first thing I need to do, is automate the IPIP PPP tunnel
> setup so that the device can persist over a reboot. I can create it
> manually right now, no problem, with the following command strings: # ip
> tunnel add tun0 mode ipip remote 172.18.0.1 local 10.0.0.1
> # ip addr add 172.18.1.2/24 dev tun0
> # ip link set tun0 mtu 1500
> # i p link set tun0 up
>=20
> This all works perfectly fine, and tun0 is created after running the first
> command. Now I need this to persist a reboot. I wanted to handle this
> through OpenRC, since I can then do dependency resolution, and make sure
> the tunnel comes up only if the IPSEC tunnel is up and running. That being
> said, I added the following to /etc/conf.d/net:=20

Shouldn't you create the ipip tunnel here first?

Something like:

iptunnel_tun0=3D"mode ipip remote 172.18.0.1 ttl 255" #not sure if local is=
=20
required, you can try with & without.


> link_tun0=3D"ipsec0"  #Not sure this is correct, shouldn't it be an iface?

> config_tun0=3D"172.18.1.2 netmask 255.255.255.0 brd 172.18.1.255"
> dns_servers_tun0=3D"10.0.1.2"
> routes_tun0=3D(
> "64.20.39.38/32 via 172.18.1.1"
> "default via 172.18.1.1 table ipsec"
> )
> mtu_tun0=3D"1500"
> iptunnel_tun0_remote=3D"172.18.0.1"
> iptunnel_tun0_local=3D"10.0.0.1"
> iptunnel_tun0_mode=3D"ipip remote ${iptunnel_tun0_remote} local
> ${iptunnel_tun0_local} dev ${link_tun0}" rc_net_tun0_need=3D"ipsec"
> preup() {
> # If the link does not exist, return now, it's a tunnel!
> ip link show dev ${IFACE} 2>/dev/null || return 0
> }
>=20
> Now, the configuration does reflect an additional item not in my original
> setup, which links tun0 to the ipsec0 interface. I've tested with and
> without this, and it doesn't work. Attempting to bring up the interface
> using rc-service results in the following error: Cannot find device "tun0"
> * ERROR: interface tun0 does not exist
> * Ensure that you have loaded the correct kernel module for your hardware
> * ERROR: net.tun0 failed to start
>=20
> I could easily script all this out, and probably call it through rc.local,
> but I'd rather be able to utilize the dependency resolution to make sure
> all the necessary components are up.
>=20
> Any insights on getting it to behave?
>=20
> Michael Hill

=2D-=20
Regards,
Mick

--nextPart2059996.ppyAVWW9V5
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEABECAAYFAk9poXEACgkQVTDTR3kpaLbr7ACgrIfpELazecjLIuyzmTKOa3jw
JxoAnjfGuJucqpWH6Psxk41q/jC5tskp
=yTtz
-----END PGP SIGNATURE-----

--nextPart2059996.ppyAVWW9V5--