On Thu, 8 Jun 2017 17:03:56 +0200
Gert Doering <g...@greenie.muc.de> wrote:
> Run
> openvpn --verb <high>
>
> (starting from 5, going up)
>
> to see what it's doing...
--verb 6
You can see the 10 secs wait:
Thu Jun 8 22:00:11 2017 us=709103 UDPv4 link remote:
[AF_INET]e.f.g.h:1198
Thu Jun 8 22:00:21 2017 us=308356 Peer Connection Initiated with
[AF_INET]e.f.g.h:1198
Thu Jun 8 22:00:22 2017 us=539641 Initialization Sequence Completed
And if the remote is down it will retry every 10 secs.
Another test:
I start local side. No udp packet in the first seconds. After 2 seconds
I start a ping from remote and immediately it initiates the tunnel:
Thu Jun 8 22:04:23 2017 us=902239 Peer Connection Initiated with
[AF_INET]e.f.g.h:1198
Thu Jun 8 22:04:24 2017 us=905187 Initialization Sequence Completed
So why talk after 10 secs to the remote side while sending a ping will
do the job? There is no need for it using an udp static key config.
Anyway, I am trying this to achieve the following, maybe you guys have
an elegant idea to solve this problem:
I have two HA (High Availablity) active/passive clusters using virtual
ip (keepalived/conntrackd).
box1a--+ ip1a ip2a +-- box2a
| |
+ vip1 <-------> vip2 +
| |
box1b--+ ip1b ip2b +-- box2b
I have an unencrypted ipip tunnel between vip1 and vip2. Note: all 4
boxes have an ipip0 device that is up all the time. This works like a
charm because there is only 1 tunnel active between the two vip's. As
soon as one box becomes master, it will own the virtual ip and as the
ipip tunnel config contains the vip it will be the only one to be
capable of digging the tunnel. The passive one will not be able to dig a
tunnel because it does not own the virtual ip. Everything is handled by
the kernel. Ok, it has probably a high level of Q&D, but it works.
Ok, but now I want encryption. I was wondering if such a config would be
feasible using a peer to peer OpenVPN. Problem is that I cannot bind an
OpenVPN instance to the vip as this ip might disappear or simply not
be there when OpenVPN starts. Disadvantage of userspace daemons.
One of the options is to create a peer to peer OpenVPN tunnel over the
ipip connection. Both OpenVPN instances have the ipip tunnel ip's as
local and remote ip. For the slave the remote seems to be down.
I know I can tell keepalived to stop/start an OpenVPN instance and this
works fine of course, but I was just looking for an elegant option if
possible. Scripting is my "gateway of last resort".
R.
--
richard lucassen
http://contact.xaq.nl/
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
