Date: Wed, 9 Jul 2008 11:03:28 -0700 (PDT) From: zaphod@fsklaw.com To: "Julian Elischer" <julian@elischer.org> Cc: freebsd-net@freebsd.org, zaphod@fsklaw.com, Mike Tancsa <mike@sentex.net> Subject: Re: Tunneling issues Message-ID: <3d2c56c963f5fc5f6732548548068f69.squirrel@cor> In-Reply-To: <4874FA1F.40209@elischer.org> References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> <200807040155.m641tl8s000607@lava.sentex.ca> <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> <200807091545.m69FjcP4031350@lava.sentex.ca> <ae8c87bc77551550826e2906287c4cf0.squirrel@cor> <4874FA1F.40209@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> zaphod@fsklaw.com wrote: >>> At 11:21 AM 7/9/2008, zaphod@fsklaw.com wrote: >>> >>>> I agree it should work. But it's not. With respect to the next two >>>> questions, yes and yes. >>> Can you post some of the configs you are using for 3 of the sites so >>> we can perhaps spot the problem(s) you are having ? I have a similar >>> setup with 5 sites, all talking to each other via IPSEC tunnels. Its >>> a lot of policies, but they work just fine. >>> >>> >>> >>> >>>> I'm not a huge fan of OpenVPN, but the bigger issue is that the gif >>>> tunnels come up at boot up. As well as routes. Given the client >>>> server >>>> nature of OpenVPN it is suitable, because if a server reboots, I'm not >>>> certain a client would auto re-connect. >>> We have ~ 400 sites running OpenVPN across Canada that all reconnect >>> just fine after reboots / power cycles etc. We dont let the clients >>> talk to each other, but that would just be a config change to allow >>> that to work. >>> >>> ---Mike >>> >> Last first. Well that's good info on OpenVPN. >> >> As to the first, I'm not even at the ipsec stage yet. I'm just trying >> to >> get tunnels up. I wrote a couple of shell scripts to bring them up for >> testing. >> >> Server1 >> >> orange# more mkgif >> #/bin/sh >> ifconfig gif1 create >> ifconfig gif1 1.1.1.1 2.2.2.2 > > ^^^^ what's that for? Well added that as I was googling the problem someone had said to do it so I tried it. Wasn't there initially. Doesn't work with or without. > since you over-ride it in the next line vvvvv > > >> ifconfig gif1 inet 192.168.72.1 192.168.70.1 netmask 255.255.255.0 > > (PTP links don't have netmasks) > snip: Got it from the manual <http://www.freebsd.org/doc/en/books/handbook/ipsec.html>; # ifconfig gif0 create # ifconfig gif0 tunnel A.B.C.D W.X.Y.Z # ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff I'll try it without. Cheers, Zaphod
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3d2c56c963f5fc5f6732548548068f69.squirrel>