Re: OSPFD over IPSEC

Comète Tue, 15 Nov 2016 03:54:12 -0800
14 novembre 2016 22:50 "Remi Locherer" <[email protected]> a écrit:
> On
Mon, Nov 14, 2016 at 04:50:21PM +0000, Comète wrote:
> 
>> 14 novembre 2016
14:50 "Remi Locherer" <[email protected]> a écrit:
>> On
>> 2016-11-14
12:48, Comète wrote:
>> 
>> Hi,
>> I'm trying to run OSPFD over
>> IPSEC with
OpenBSD 6.0 stable, so I first
>> start looking at >
>>
http://undeadly.org/cgi?action=article&sid=20131105075303
>> Now that etherip
>> has it's own interface in 6.0, I tried to replace gif > with
>> etherip
like
>> this:
> 
> [...]
> 
>> Can
>> you show pf.conf? Are there any blocks
if you check on pflog0 with tcpdump?
>> 
>> But why do you want to have
Ethernet frames tunneled? If you use gif
>> interfaces
>> and make ospfd
beeing active on it you save a few bits. That way
>> you can make
>> the MTU
bigger.
>> https://cway.cisco.com/tools/ipsec-overhead-calc can give you
>>
and idea how
>> big your MTU can be (needs an account but is free).
>> 
>> Be
careful when
>> configuring gif interfaces. ospfd only recognizes that it is a
>> 
>> point-to-point interface when you configure the netmask as
255.255.255.255.
>> I finally got it working. I forgot the 'link2' option in
/etc/hostname.bridge0
>> :
>> 
>> -=>> cat /etc/hostname.bridge0
>> add
etherip0 add vether0
>> up link2
>> 
>> but it
>> wasn't enough...
>> I had to
set 'net.inet.etherip.allow=1' in sysctl.conf
>> despite what it is said in
the 'etherip' man page:
>> 
>> "The sysctl(3) variable
>>
net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to
>>
protect the traffic."
>> 
>> This is what I don't understand, is there any
>>
particular case in this configuration or maybe something changed in 6.0 ?
>>
thanks
> 
> I can not tell you what is wrong with your configuration. Im not
using
> etherip. But why do you think you need to tunnel Ethernet? You don't
need it
> for ospf. rWWith gif interfaces you're doing ip-over-ip and don't
need
> bridge and vether. Then just add the gif interface to ospfd.conf.
I've made another test with GIF and vether interfaces following this tutorial:
http://undeadly.org/cgi?action=article&sid=20131105075303 (the author talked
about multicast problems when using only gif...). It works too and I can see a
bandwith gain of 13 Mbps, with ipsec (aes-128-gcm) and pf enabled, compared to
the same setup with etherip interfaces. But again I needed to set
net.inet.etherip.allow=1 to make it work.
Re: OSPFD over IPSEC

Reply via email to
