| 1 |
On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: |
| 2 |
> Howdy all, |
| 3 |
> i was wondering if anyone has any idea if there is a means by which i |
| 4 |
> can detect GRE link state ? |
| 5 |
> |
| 6 |
> what i have is two sites each with two very unstable internet links |
| 7 |
> in order to vpn between them i have ipsec tunnels linking each side |
| 8 |
> twice (four ipsec tunnels in total) |
| 9 |
|
| 10 |
I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway |
| 11 |
to gateway setup, but I assume that your particular network topology satisfies |
| 12 |
your requirements. |
| 13 |
|
| 14 |
|
| 15 |
> i then have 4x GRE tunnels over the top of those in order that i have a |
| 16 |
> secured routable VPN |
| 17 |
> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 |
| 18 |
> finally i run BIRD over the top which works very well, and synchronises |
| 19 |
> routing tables between the two sites, and allows for me to do such fun as |
| 20 |
> # /etc/init.d/net.vpn0 stop |
| 21 |
> and watch all traffic automagically cut over to another link. |
| 22 |
> |
| 23 |
> so far so awesome. |
| 24 |
> |
| 25 |
> however, as i said the internet links are very unstable, and sometimes |
| 26 |
> just blackhole. so what i was hoping to do is just enable keepalives on |
| 27 |
> the gre tunnel. which sadly seems to be cisco only. |
| 28 |
|
| 29 |
I'm no Cisco expert, but I thought that the keepalives are disabled when you |
| 30 |
use IPSec, because IPSec had Dead Peer Detection for this purpose? |
| 31 |
|
| 32 |
|
| 33 |
> can anyone suggest a way of detecting if the GRE is not fully connected ? |
| 34 |
> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) |
| 35 |
> and for the life of me i cannot find how to detect if a GRE tunnel is |
| 36 |
> 'connected', it seems to just blindly send packets to the remote IP. |
| 37 |
> is my only choice to use L2TP instead ? |
| 38 |
|
| 39 |
Set your IKE lifetime to something like 86400 sec and your SA lifetime at |
| 40 |
something like 3600, with dpd enabled and it should (hopefully) work. L2TP is |
| 41 |
not needed. |
| 42 |
|
| 43 |
-- |
| 44 |
Regards, |
| 45 |
Mick |
Archives