From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 637A91381F3 for ; Mon, 9 Sep 2013 10:12:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5D211E0A7E; Mon, 9 Sep 2013 10:12:50 +0000 (UTC) Received: from uberouter3.guranga.net (unknown [78.25.223.226]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3FC6AE0963 for ; Mon, 9 Sep 2013 10:12:49 +0000 (UTC) Received: from [192.168.151.100] (unknown [192.168.151.100]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by uberouter3.guranga.net (Postfix) with ESMTPSA id D95B882337 for ; Mon, 9 Sep 2013 11:12:47 +0100 (BST) Message-ID: <522D9F1F.3070202@thegeezer.net> Date: Mon, 09 Sep 2013 11:12:47 +0100 From: thegeezer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] GRE link state detection References: <52289A13.6010403@thegeezer.net> <201309071923.39255.michaelkintzios@gmail.com> In-Reply-To: <201309071923.39255.michaelkintzios@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 8add3243-3a0b-4aa1-842b-9e668591b777 X-Archives-Hash: 212d40597f473095f854322cc49f7daf asking the same question on the bird mailing list, was recommended some values to make bird down the GRE tunnels faster. multiple tunnels are required due to the very unreliable internet, so one tunnel goes over one dsl link, another goes over another. DPD timeouts are 30seconds minimum, which is too long. i'll keep you posted if the bird recommendations works better On 09/07/2013 07:23 PM, Mick wrote: > On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: >> Howdy all, >> i was wondering if anyone has any idea if there is a means by which i >> can detect GRE link state ? >> >> what i have is two sites each with two very unstable internet links >> in order to vpn between them i have ipsec tunnels linking each side >> twice (four ipsec tunnels in total) > I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway > to gateway setup, but I assume that your particular network topology satisfies > your requirements. > > >> i then have 4x GRE tunnels over the top of those in order that i have a >> secured routable VPN >> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 >> finally i run BIRD over the top which works very well, and synchronises >> routing tables between the two sites, and allows for me to do such fun as >> # /etc/init.d/net.vpn0 stop >> and watch all traffic automagically cut over to another link. >> >> so far so awesome. >> >> however, as i said the internet links are very unstable, and sometimes >> just blackhole. so what i was hoping to do is just enable keepalives on >> the gre tunnel. which sadly seems to be cisco only. > I'm no Cisco expert, but I thought that the keepalives are disabled when you > use IPSec, because IPSec had Dead Peer Detection for this purpose? > > >> can anyone suggest a way of detecting if the GRE is not fully connected ? >> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) >> and for the life of me i cannot find how to detect if a GRE tunnel is >> 'connected', it seems to just blindly send packets to the remote IP. >> is my only choice to use L2TP instead ? > Set your IKE lifetime to something like 86400 sec and your SA lifetime at > something like 3600, with dpd enabled and it should (hopefully) work. L2TP is > not needed. >