1 |
asking the same question on the bird mailing list, was recommended some |
2 |
values to make bird down the GRE tunnels faster. |
3 |
multiple tunnels are required due to the very unreliable internet, so |
4 |
one tunnel goes over one dsl link, another goes over another. |
5 |
DPD timeouts are 30seconds minimum, which is too long. |
6 |
i'll keep you posted if the bird recommendations works better |
7 |
|
8 |
|
9 |
On 09/07/2013 07:23 PM, Mick wrote: |
10 |
> On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: |
11 |
>> Howdy all, |
12 |
>> i was wondering if anyone has any idea if there is a means by which i |
13 |
>> can detect GRE link state ? |
14 |
>> |
15 |
>> what i have is two sites each with two very unstable internet links |
16 |
>> in order to vpn between them i have ipsec tunnels linking each side |
17 |
>> twice (four ipsec tunnels in total) |
18 |
> I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway |
19 |
> to gateway setup, but I assume that your particular network topology satisfies |
20 |
> your requirements. |
21 |
> |
22 |
> |
23 |
>> i then have 4x GRE tunnels over the top of those in order that i have a |
24 |
>> secured routable VPN |
25 |
>> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 |
26 |
>> finally i run BIRD over the top which works very well, and synchronises |
27 |
>> routing tables between the two sites, and allows for me to do such fun as |
28 |
>> # /etc/init.d/net.vpn0 stop |
29 |
>> and watch all traffic automagically cut over to another link. |
30 |
>> |
31 |
>> so far so awesome. |
32 |
>> |
33 |
>> however, as i said the internet links are very unstable, and sometimes |
34 |
>> just blackhole. so what i was hoping to do is just enable keepalives on |
35 |
>> the gre tunnel. which sadly seems to be cisco only. |
36 |
> I'm no Cisco expert, but I thought that the keepalives are disabled when you |
37 |
> use IPSec, because IPSec had Dead Peer Detection for this purpose? |
38 |
> |
39 |
> |
40 |
>> can anyone suggest a way of detecting if the GRE is not fully connected ? |
41 |
>> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) |
42 |
>> and for the life of me i cannot find how to detect if a GRE tunnel is |
43 |
>> 'connected', it seems to just blindly send packets to the remote IP. |
44 |
>> is my only choice to use L2TP instead ? |
45 |
> Set your IKE lifetime to something like 86400 sec and your SA lifetime at |
46 |
> something like 3600, with dpd enabled and it should (hopefully) work. L2TP is |
47 |
> not needed. |
48 |
> |