| 1 |
asking the same question on the bird mailing list, was recommended some |
| 2 |
values to make bird down the GRE tunnels faster. |
| 3 |
multiple tunnels are required due to the very unreliable internet, so |
| 4 |
one tunnel goes over one dsl link, another goes over another. |
| 5 |
DPD timeouts are 30seconds minimum, which is too long. |
| 6 |
i'll keep you posted if the bird recommendations works better |
| 7 |
|
| 8 |
|
| 9 |
On 09/07/2013 07:23 PM, Mick wrote: |
| 10 |
> On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: |
| 11 |
>> Howdy all, |
| 12 |
>> i was wondering if anyone has any idea if there is a means by which i |
| 13 |
>> can detect GRE link state ? |
| 14 |
>> |
| 15 |
>> what i have is two sites each with two very unstable internet links |
| 16 |
>> in order to vpn between them i have ipsec tunnels linking each side |
| 17 |
>> twice (four ipsec tunnels in total) |
| 18 |
> I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway |
| 19 |
> to gateway setup, but I assume that your particular network topology satisfies |
| 20 |
> your requirements. |
| 21 |
> |
| 22 |
> |
| 23 |
>> i then have 4x GRE tunnels over the top of those in order that i have a |
| 24 |
>> secured routable VPN |
| 25 |
>> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 |
| 26 |
>> finally i run BIRD over the top which works very well, and synchronises |
| 27 |
>> routing tables between the two sites, and allows for me to do such fun as |
| 28 |
>> # /etc/init.d/net.vpn0 stop |
| 29 |
>> and watch all traffic automagically cut over to another link. |
| 30 |
>> |
| 31 |
>> so far so awesome. |
| 32 |
>> |
| 33 |
>> however, as i said the internet links are very unstable, and sometimes |
| 34 |
>> just blackhole. so what i was hoping to do is just enable keepalives on |
| 35 |
>> the gre tunnel. which sadly seems to be cisco only. |
| 36 |
> I'm no Cisco expert, but I thought that the keepalives are disabled when you |
| 37 |
> use IPSec, because IPSec had Dead Peer Detection for this purpose? |
| 38 |
> |
| 39 |
> |
| 40 |
>> can anyone suggest a way of detecting if the GRE is not fully connected ? |
| 41 |
>> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) |
| 42 |
>> and for the life of me i cannot find how to detect if a GRE tunnel is |
| 43 |
>> 'connected', it seems to just blindly send packets to the remote IP. |
| 44 |
>> is my only choice to use L2TP instead ? |
| 45 |
> Set your IKE lifetime to something like 86400 sec and your SA lifetime at |
| 46 |
> something like 3600, with dpd enabled and it should (hopefully) work. L2TP is |
| 47 |
> not needed. |
| 48 |
> |
Archives