On Fri, Mar 15, 2019 at 07:48:55AM +0100, Otto Moerbeek wrote: > On Fri, Mar 15, 2019 at 04:44:52PM +1000, David Gwynne wrote: > > > > > > > > On 15 Mar 2019, at 16:37, Otto Moerbeek <o...@drijf.net> wrote: > > > > > > On Fri, Mar 15, 2019 at 04:15:55PM +1000, David Gwynne wrote: > > > > > >> > > >> > > >>> On 14 Mar 2019, at 19:36, Otto Moerbeek <o...@drijf.net> wrote: > > >>> > > >>> Hi, > > >>> > > >>> So i have a little IPv6 problem. > > >>> > > >>> I have a machine in colocation that has IPv6. I have my home cable > > >>> modem connection that does not have it. > > >>> > > >>> So I thought: I make my own tunnel. First I tried gif(4), that worked, > > >>> but only after some fighting with mtu settings on all hosts on my home > > >>> net via rad. Performance was kinda bad. So I'm looking for an > > >>> alternative. I thougt: IPSEC should be able to do this. > > >>> > > >>> I have a flow from my locally created IPv6 net to any and vice versa. > > >>> THe flow itself works. > > >>> > > >>> There I ran into the trouble that you cannot specify a default > > >>> gateway, since my remote gw (the host in colo) it is not reachable > > >>> according to route(8). > > >>> > > >>> How does one solve the default route problem? I never really > > >>> understood how routing works in the presense of IPSEC flows. > > >> > > >> Can you elaborate on what gif and slow meant? Also, you should be able > > >> to use gif with whatever MTU you want, even 1500 on the gif interface > > >> and fragments over the internet. You could also try gre, but I doubt it > > >> would be different to gif in terms of performance and support for > > >> MTU/fragmentation. > > >> > > >> If you want ipsec and routes, you would still use tunnel and get IPsec > > >> to protect it. Or you could trick someone into making something like > > >> Cisco's vti a thing in OpenBSD. > > >> > > >> dlg > > > > > > gif tunnel: > > > > > > ifconfig gif0 inet6 2a02:898:216:3::2 2a02:898:216:3::1 prefixlen 128 > > > > > > and viceversa on th eother end. > > > > > > So gif tunnel with default options. With that it showed an an mtu of > > > 1280 in ifconfig so I assumed that would be the max. I have a > > > 200 Mb/s cable connection. Downloading IPv4 I reach that. With IPV6 > > > often it would be 10% of that. Plus it would only work reliably if the > > > hosts in my net use an mtu of 1280 (manually or via rad). > > > > I wonder why PMTUD isn't working in this situation. > > > > > I now have a ipsec tunnel and that does 55 Mb/s (APU2 on both > > > ends) without any need for config on the hosts in my local net. > > > > Did you have to clamp your internal MTU for that to work too? > > Nope, like I said nothing special. I run rand without any options on
Make that rad(8) > the gw and just inet6 autoconf on the hosts. > > > > > dlg >
