On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: > Howdy all, > i was wondering if anyone has any idea if there is a means by which i > can detect GRE link state ? > > what i have is two sites each with two very unstable internet links > in order to vpn between them i have ipsec tunnels linking each side > twice (four ipsec tunnels in total)
I am not sure why you need 4 tunnels, you could just use 1 tunnel as a gateway to gateway setup, but I assume that your particular network topology satisfies your requirements. > i then have 4x GRE tunnels over the top of those in order that i have a > secured routable VPN > this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 > finally i run BIRD over the top which works very well, and synchronises > routing tables between the two sites, and allows for me to do such fun as > # /etc/init.d/net.vpn0 stop > and watch all traffic automagically cut over to another link. > > so far so awesome. > > however, as i said the internet links are very unstable, and sometimes > just blackhole. so what i was hoping to do is just enable keepalives on > the gre tunnel. which sadly seems to be cisco only. I'm no Cisco expert, but I thought that the keepalives are disabled when you use IPSec, because IPSec had Dead Peer Detection for this purpose? > can anyone suggest a way of detecting if the GRE is not fully connected ? > BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) > and for the life of me i cannot find how to detect if a GRE tunnel is > 'connected', it seems to just blindly send packets to the remote IP. > is my only choice to use L2TP instead ? Set your IKE lifetime to something like 86400 sec and your SA lifetime at something like 3600, with dpd enabled and it should (hopefully) work. L2TP is not needed. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.