14 novembre 2016 22:50 "Remi Locherer" <[email protected]> a écrit: > On Mon, Nov 14, 2016 at 04:50:21PM +0000, Comète wrote: > >> 14 novembre 2016 14:50 "Remi Locherer" <[email protected]> a écrit: >> On >> 2016-11-14 12:48, Comète wrote: >> >> Hi, >> I'm trying to run OSPFD over >> IPSEC with OpenBSD 6.0 stable, so I first >> start looking at > >> http://undeadly.org/cgi?action=article&sid=20131105075303 >> Now that etherip >> has it's own interface in 6.0, I tried to replace gif > with >> etherip like >> this: > > [...] > >> Can >> you show pf.conf? Are there any blocks if you check on pflog0 with tcpdump? >> >> But why do you want to have Ethernet frames tunneled? If you use gif >> interfaces >> and make ospfd beeing active on it you save a few bits. That way >> you can make >> the MTU bigger. >> https://cway.cisco.com/tools/ipsec-overhead-calc can give you >> and idea how >> big your MTU can be (needs an account but is free). >> >> Be careful when >> configuring gif interfaces. ospfd only recognizes that it is a >> >> point-to-point interface when you configure the netmask as 255.255.255.255. >> I finally got it working. I forgot the 'link2' option in /etc/hostname.bridge0 >> : >> >> -=>> cat /etc/hostname.bridge0 >> add etherip0 add vether0 >> up link2 >> >> but it >> wasn't enough... >> I had to set 'net.inet.etherip.allow=1' in sysctl.conf >> despite what it is said in the 'etherip' man page: >> >> "The sysctl(3) variable >> net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to >> protect the traffic." >> >> This is what I don't understand, is there any >> particular case in this configuration or maybe something changed in 6.0 ? >> thanks > > I can not tell you what is wrong with your configuration. Im not using > etherip. But why do you think you need to tunnel Ethernet? You don't need it > for ospf. rWWith gif interfaces you're doing ip-over-ip and don't need > bridge and vether. Then just add the gif interface to ospfd.conf.
Ok, good to know, I will test this too. In fact, I will need etherip for some sites where I use VLANS. But for others, IP over IP will be ok. So thank you for the advice. If someone knows why, with etherip over IPSEC, I had to set 'net.inet.etherip.allow=1' in sysctl.conf ? The question is still opened... Thanks
