On Sunday, March 25, 2007, at 18:55:31, Chris Jones wrote:
> Hey all,
> I know that it's possible to run GRE over and IPsec tunnel but I am
> wondering if anyone here has seen some good documentation (besides the man
> pages) or a howto on setting this up. I'm trying to config my OpenBSD
> 4.0firewall to interop with a route-based VPN network with a mix of
> Fortigate
> and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as
> "tunnel interfaces" when creating route-based VPN tunnels. Right now all
> endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would
> like to use a similar configuration on the OpenBSD side but I am just
> wondering how to accomplish this as I am uncertain how to bind the GRE
> interface to a tunnel.
Hello Cris,
GRE is standard and works in OpenBSD as RFC says ;-)
When I was running gre over ipsec tunnel between two openbsd boxes
(OpenBSD 3.8 or sth like that) it worked without any problems.
but it works till now, so example from config of that machine (ip
changed):
vpn1# cat /etc/hostname.gre0
1.1.1.1 2.2.2.2.netmask 0xffffffff carp0
!ifconfig gre0 tunnel 1.1.1.1 2.2.2.2
!route add -inet 192.168.1.0/24 2.2.2.2
few things you should be aware of:
a) sysctl.conf (net.inet.gre.allow=1, net.inet.ip.mtudisc=1)
b) MTU - gre is "taking" 24 bytes from frame (i.e. 1476 from 1500
bytes)
c) IPSec uses DF bit - if you don't remember about that you can get
into windowing problem (ethernet uses 1500 bytes and can't be
splitted into fragments because of don't fragment bit)
d) use different ip address space for your vpn-routers/concentrators
and for your local networks. If you get blank paper and try to draw
that (with OSI model in mind) you will make it in a few minutes :-)
Good luck :)
--
Sylwester S. Biernacki <[EMAIL PROTECTED]>
X-NET, http://www.xnet.com.pl/
