* [gentoo-user] GRE link state detection
@ 2013-09-05 14:49 thegeezer
2013-09-07 18:23 ` Mick
0 siblings, 1 reply; 4+ messages in thread
From: thegeezer @ 2013-09-05 14:49 UTC (permalink / raw
To: gentoo-user
Howdy all,
i was wondering if anyone has any idea if there is a means by which i
can detect GRE link state ?
what i have is two sites each with two very unstable internet links
in order to vpn between them i have ipsec tunnels linking each side
twice (four ipsec tunnels in total)
i then have 4x GRE tunnels over the top of those in order that i have a
secured routable VPN
this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3
finally i run BIRD over the top which works very well, and synchronises
routing tables between the two sites, and allows for me to do such fun as
# /etc/init.d/net.vpn0 stop
and watch all traffic automagically cut over to another link.
so far so awesome.
however, as i said the internet links are very unstable, and sometimes
just blackhole. so what i was hoping to do is just enable keepalives on
the gre tunnel. which sadly seems to be cisco only.
can anyone suggest a way of detecting if the GRE is not fully connected ?
BIRD only fails over if the net.vpn0 device is down (ifconfig up/down)
and for the life of me i cannot find how to detect if a GRE tunnel is
'connected', it seems to just blindly send packets to the remote IP.
is my only choice to use L2TP instead ?
thanks in advance for any suggestions; if anyone would like the configs
in order to set this up let me know and i'll reply to list with a mini-howto
PS if i'm on the wrong list i'd welcome a friendly push to the correct list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] GRE link state detection
2013-09-05 14:49 [gentoo-user] GRE link state detection thegeezer
@ 2013-09-07 18:23 ` Mick
2013-09-09 10:12 ` thegeezer
0 siblings, 1 reply; 4+ messages in thread
From: Mick @ 2013-09-07 18:23 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1868 bytes --]
On Thursday 05 Sep 2013 15:49:55 thegeezer wrote:
> Howdy all,
> i was wondering if anyone has any idea if there is a means by which i
> can detect GRE link state ?
>
> what i have is two sites each with two very unstable internet links
> in order to vpn between them i have ipsec tunnels linking each side
> twice (four ipsec tunnels in total)
I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway
to gateway setup, but I assume that your particular network topology satisfies
your requirements.
> i then have 4x GRE tunnels over the top of those in order that i have a
> secured routable VPN
> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3
> finally i run BIRD over the top which works very well, and synchronises
> routing tables between the two sites, and allows for me to do such fun as
> # /etc/init.d/net.vpn0 stop
> and watch all traffic automagically cut over to another link.
>
> so far so awesome.
>
> however, as i said the internet links are very unstable, and sometimes
> just blackhole. so what i was hoping to do is just enable keepalives on
> the gre tunnel. which sadly seems to be cisco only.
I'm no Cisco expert, but I thought that the keepalives are disabled when you
use IPSec, because IPSec had Dead Peer Detection for this purpose?
> can anyone suggest a way of detecting if the GRE is not fully connected ?
> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down)
> and for the life of me i cannot find how to detect if a GRE tunnel is
> 'connected', it seems to just blindly send packets to the remote IP.
> is my only choice to use L2TP instead ?
Set your IKE lifetime to something like 86400 sec and your SA lifetime at
something like 3600, with dpd enabled and it should (hopefully) work. L2TP is
not needed.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] GRE link state detection
2013-09-07 18:23 ` Mick
@ 2013-09-09 10:12 ` thegeezer
2013-09-09 18:39 ` Mick
0 siblings, 1 reply; 4+ messages in thread
From: thegeezer @ 2013-09-09 10:12 UTC (permalink / raw
To: gentoo-user
asking the same question on the bird mailing list, was recommended some
values to make bird down the GRE tunnels faster.
multiple tunnels are required due to the very unreliable internet, so
one tunnel goes over one dsl link, another goes over another.
DPD timeouts are 30seconds minimum, which is too long.
i'll keep you posted if the bird recommendations works better
On 09/07/2013 07:23 PM, Mick wrote:
> On Thursday 05 Sep 2013 15:49:55 thegeezer wrote:
>> Howdy all,
>> i was wondering if anyone has any idea if there is a means by which i
>> can detect GRE link state ?
>>
>> what i have is two sites each with two very unstable internet links
>> in order to vpn between them i have ipsec tunnels linking each side
>> twice (four ipsec tunnels in total)
> I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway
> to gateway setup, but I assume that your particular network topology satisfies
> your requirements.
>
>
>> i then have 4x GRE tunnels over the top of those in order that i have a
>> secured routable VPN
>> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3
>> finally i run BIRD over the top which works very well, and synchronises
>> routing tables between the two sites, and allows for me to do such fun as
>> # /etc/init.d/net.vpn0 stop
>> and watch all traffic automagically cut over to another link.
>>
>> so far so awesome.
>>
>> however, as i said the internet links are very unstable, and sometimes
>> just blackhole. so what i was hoping to do is just enable keepalives on
>> the gre tunnel. which sadly seems to be cisco only.
> I'm no Cisco expert, but I thought that the keepalives are disabled when you
> use IPSec, because IPSec had Dead Peer Detection for this purpose?
>
>
>> can anyone suggest a way of detecting if the GRE is not fully connected ?
>> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down)
>> and for the life of me i cannot find how to detect if a GRE tunnel is
>> 'connected', it seems to just blindly send packets to the remote IP.
>> is my only choice to use L2TP instead ?
> Set your IKE lifetime to something like 86400 sec and your SA lifetime at
> something like 3600, with dpd enabled and it should (hopefully) work. L2TP is
> not needed.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] GRE link state detection
2013-09-09 10:12 ` thegeezer
@ 2013-09-09 18:39 ` Mick
0 siblings, 0 replies; 4+ messages in thread
From: Mick @ 2013-09-09 18:39 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 693 bytes --]
On Monday 09 Sep 2013 11:12:47 thegeezer wrote:
> asking the same question on the bird mailing list, was recommended some
> values to make bird down the GRE tunnels faster.
> multiple tunnels are required due to the very unreliable internet, so
> one tunnel goes over one dsl link, another goes over another.
> DPD timeouts are 30seconds minimum, which is too long.
> i'll keep you posted if the bird recommendations works better
You can tune dpd_delay and dpd_retry in racoon.conf (if you are using ipsec-
tools) or the equivalent in open/strongswan. I think strongswan sends
keepalives every 20 seconds or so and it can be increased if you prefer it so.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-09-09 18:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-05 14:49 [gentoo-user] GRE link state detection thegeezer
2013-09-07 18:23 ` Mick
2013-09-09 10:12 ` thegeezer
2013-09-09 18:39 ` Mick
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox