GRE or gif keepalive
Hey Everybody, Do you know if GRE or gif is having a keepalive option? I searched with google and the archives and I didn't find anything like that. The problem that I have is as I run GRE over IPSec and I would like to know when the IPSec tunnel is down with the help of GRE interface which it should go down if there is sort of of a keepalive mechanism. -- Alex
Re: GRE or gif keepalive
On 2007/05/17 13:46, Alex Berdan wrote: Do you know if GRE or gif is having a keepalive option? Not directly, but you can add one using ospfd(8) or ifstated(8).
Re: GRE or gif keepalive
Thanks Stuart, I heard about this command. I ain't using OSPF for the link state I use BGP. My GRE interface never goes down when the IPsec goes down. Is this normal? Cosmetic bug? Thanks, Rgds, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 13:46, Alex Berdan wrote: Do you know if GRE or gif is having a keepalive option? Not directly, but you can add one using ospfd(8) or ifstated(8). -- Alex
Re: GRE or gif keepalive
On 2007/05/17 17:11, Alex Berdan wrote: I heard about this command. I ain't using OSPF for the link state I use BGP. Well, you could lower your timers then... My GRE interface never goes down when the IPsec goes down. That's normal, gre doesn't know about link state.
Re: GRE or gif keepalive
Thanks anyway! I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives and I can have SNMP traps in case the IPSec tunnel is down (GRE interface is down). The BGP works just fine and the routes converge exactly as I wanted. Is OpenBSD having any plans with this GRE keepalives? (Unfortunately my environment is not all CISCO) Thanks, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 17:11, Alex Berdan wrote: I heard about this command. I ain't using OSPF for the link state I use BGP. Well, you could lower your timers then... My GRE interface never goes down when the IPsec goes down. That's normal, gre doesn't know about link state.
Re: GRE or gif keepalive
On 2007/05/17 18:02, Alex Berdan wrote: I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives Unfortunately, despite GRE being documented across a number of RFCs, there's no mention of this. Looks like it's probably a cisco- proprietary extension, I couldn't find any docs on packet formats or implementation. Have you come across any?
Re: GRE or gif keepalive
This is a nice feature which can be used in cases where you don't run any dynamic routing protocol over GRE/IPSec tunnel. If you have OpenBSD as VPN concentrator you can have SNMP traps when the tunnel is down and take any action etc. Here is the CISCO implementation: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html Hopefully someone will see this and eventually purpose a alternate solution or implement keepalives in the distribution. Rgds, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 18:02, Alex Berdan wrote: I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives Unfortunately, despite GRE being documented across a number of RFCs, there's no mention of this. Looks like it's probably a cisco- proprietary extension, I couldn't find any docs on packet formats or implementation. Have you come across any? -- Alex
Re: GRE or gif keepalive
On 2007/05/17 18:44, Alex Berdan wrote: This is a nice feature which can be used in cases where you don't run any dynamic routing protocol over GRE/IPSec tunnel. If you have OpenBSD as VPN concentrator you can have SNMP traps when the tunnel is down and take any action etc. Here is the CISCO implementation: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html Hopefully someone will see this and eventually purpose a alternate solution or implement keepalives in the distribution. I already found some pages about how to turn it on in IOS, but they don't bother with any implementation details. Thanks to a kind person who contacted me offlist, I now know how the hack works: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml#topic2