The solution seems to be is to run on top of vether(4).
On 3 apr 2013, at 22:54, mxb <m...@alumni.chalmers.se> wrote:
>
>
> Looks like multicast packets never show up on gif.
> I see those packets on enc0 on both sides.
> However, on one side they never show up on gif!
>
> Any ideas?
> The "problematic side" has currently "set skip on enc0" and "pass all on
> gif" in pf.conf .
>
> Both sides run OpenBSD 5.3.
>
> //mxb
>
> On 28 mar 2013, at 09:26, mxb <m...@alumni.chalmers.se> wrote:
>
>> Hello list,
>>
>> Anyone have a good advise on the <subject>?
>>
>> I currently have SiteA and SiteB with two OpenBSD machines on each end in
>> active-active setup.
>> I also have OSPF on top of gif(on top of IPSec) from each node and crossover
>> between nodes.
>>
>> fw1.siteA <----gif---> fw1.siteB
>> fw2.siteA <----gif---> fw2.siteB
>>
>> fw1.siteA <----crossover--->fw2.siteA.
>>
>> I occasionally experience "breakdowns" on site-to-site links. It looks like
>> ospfd stops talking on gif, but gifs are up and I'm able to ping each peer.
>> ipsecctl shows that tunnels are up and I can confirm this via tcpdump. "pass
>> on enc0 keep state (if-bound)" should not let unencrypted traffic to escape
>> anyway.
>>
>> My goal with this setup is to have redundancy and let OSPF to decide routing
>> path.
>> So the priority is not set in ospfd.conf.
>>
>> area 0.0.0.0 {
>>
>> # siteA-siteB
>> interface gif0 { metric 10 }
>>
>> # crossover
>> interface trunk0 { metric 5 }
>>
>> #LAN
>> interface carp1 { passive }
>>
>> # ANYCAST
>> interface lo1 { metric 5 }
>> }
>>
>> pfsync0: flags=41<UP,RUNNING> mtu 1500
>> priority: 0
>> pfsync: syncdev: trunk0 maxupd: 128 defer: on
>> groups: carp pfsync
>>
>> //mxb
