From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6C4831381F3 for ; Sat, 7 Sep 2013 18:23:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 28EB4E0ABD; Sat, 7 Sep 2013 18:23:45 +0000 (UTC) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0B841E0982 for ; Sat, 7 Sep 2013 18:23:43 +0000 (UTC) Received: by mail-wi0-f178.google.com with SMTP id hn9so2038423wib.17 for ; Sat, 07 Sep 2013 11:23:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=f9AiPhjjwHao9uhERD/IrFuMvIrZ0ljmqesoIMwcX5U=; b=kRG23cJZ5bNQAvt29YyJCjacJ5X2o6tObU5uBXhhV12bVay8+RY91H4LuXFn+Q7jYM YJ2LawTdaWZQfhMghaBlQIY5I4secpCcwKFMBn2kMTunhWf0CBUgPoO6c3Pz/P7nHCwb PP+aeVyFuMCiZqmcTQauBxssD8G53VugNUu13TDtrK6tCpNR05pObm/n3v+3YcnvLQYI IRaLMri07w2rFlw8cO9AXj3k3hOdlyloajB1F2FyGg00Z4sfdh3X6LYpQJYqHr/7AokV +esmq8XShCBYAjRMU9Hg28QD+Bb4OvJOyLD3m9W8cauv8vrgYgqNjaz5nvU7rN/Jk798 6fmQ== X-Received: by 10.180.82.164 with SMTP id j4mr2740450wiy.65.1378578222685; Sat, 07 Sep 2013 11:23:42 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPSA id r6sm5366091wiw.0.1969.12.31.16.00.00 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Sep 2013 11:23:41 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] GRE link state detection Date: Sat, 7 Sep 2013 19:23:37 +0100 User-Agent: KMail/1.13.7 (Linux/3.10.7-gentoo; KDE/4.10.5; x86_64; ; ) References: <52289A13.6010403@thegeezer.net> In-Reply-To: <52289A13.6010403@thegeezer.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart17454883.LrHeWZNedt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201309071923.39255.michaelkintzios@gmail.com> X-Archives-Salt: 35f59efb-98ab-4c71-a214-36e501636caa X-Archives-Hash: 4f31dc2bcdd1566df2fa8e78618b1dcd --nextPart17454883.LrHeWZNedt Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: > Howdy all, > i was wondering if anyone has any idea if there is a means by which i > can detect GRE link state ? >=20 > what i have is two sites each with two very unstable internet links > in order to vpn between them i have ipsec tunnels linking each side > twice (four ipsec tunnels in total) I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gate= way=20 to gateway setup, but I assume that your particular network topology satisf= ies=20 your requirements. > i then have 4x GRE tunnels over the top of those in order that i have a > secured routable VPN > this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 > finally i run BIRD over the top which works very well, and synchronises > routing tables between the two sites, and allows for me to do such fun as > # /etc/init.d/net.vpn0 stop > and watch all traffic automagically cut over to another link. >=20 > so far so awesome. >=20 > however, as i said the internet links are very unstable, and sometimes > just blackhole. so what i was hoping to do is just enable keepalives on > the gre tunnel. which sadly seems to be cisco only. I'm no Cisco expert, but I thought that the keepalives are disabled when yo= u=20 use IPSec, because IPSec had Dead Peer Detection for this purpose? > can anyone suggest a way of detecting if the GRE is not fully connected ? > BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) > and for the life of me i cannot find how to detect if a GRE tunnel is > 'connected', it seems to just blindly send packets to the remote IP. > is my only choice to use L2TP instead ? Set your IKE lifetime to something like 86400 sec and your SA lifetime at=20 something like 3600, with dpd enabled and it should (hopefully) work. L2TP= is=20 not needed. =2D-=20 Regards, Mick --nextPart17454883.LrHeWZNedt Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAABAgAGBQJSK28rAAoJELAdA+zwE4YeEs0H/2l/cc/scJgv/aryvaXoqN5C HKetWdz/JutMZZ/fXFjFXb0o6aIcLxyTsCYm5r0DjRUyzGmXaWjv6o9TliXBosXZ BitASvJJDYLy6n2gOitFG/VOrjENHIam/8UXmGGwT99l7TioZjM/azgx1QYch69a rjp3IflYxB6W0Y93IL4fX27Fxf3OPEz1gVKo4xFh6Bu13csnJn5kqE5jVKlxMQuh oOYYnKm/3DUrXOjhxIjvBr/aaJ6VneFoVu+Ds/+9lVlsaP04X64GBA+f93NSaaFk wGrq5U9C7TXofyy978XlOP0kn/+rYAhaN/h+msqy0pV5D4REfvkcU5VTnalSfNI= =n7Ac -----END PGP SIGNATURE----- --nextPart17454883.LrHeWZNedt--