Howdy all, i was wondering if anyone has any idea if there is a means by which i can detect GRE link state ? what i have is two sites each with two very unstable internet links in order to vpn between them i have ipsec tunnels linking each side twice (four ipsec tunnels in total) i then have 4x GRE tunnels over the top of those in order that i have a secured routable VPN this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 finally i run BIRD over the top which works very well, and synchronises routing tables between the two sites, and allows for me to do such fun as # /etc/init.d/net.vpn0 stop and watch all traffic automagically cut over to another link. so far so awesome. however, as i said the internet links are very unstable, and sometimes just blackhole. so what i was hoping to do is just enable keepalives on the gre tunnel. which sadly seems to be cisco only. can anyone suggest a way of detecting if the GRE is not fully connected ? BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) and for the life of me i cannot find how to detect if a GRE tunnel is 'connected', it seems to just blindly send packets to the remote IP. is my only choice to use L2TP instead ? thanks in advance for any suggestions; PS if i'm on the wrong list i'd welcome a friendly push to the correct list
Hi What routing protocol do you run ? Would it be possible to just lower the hellos in the used protocoll so it detects a link loss faster ? Regards Matthias On 05/09/13 17:07, thegeezer wrote:
Howdy all, i was wondering if anyone has any idea if there is a means by which i can detect GRE link state ?
what i have is two sites each with two very unstable internet links in order to vpn between them i have ipsec tunnels linking each side twice (four ipsec tunnels in total) i then have 4x GRE tunnels over the top of those in order that i have a secured routable VPN this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 finally i run BIRD over the top which works very well, and synchronises routing tables between the two sites, and allows for me to do such fun as # /etc/init.d/net.vpn0 stop and watch all traffic automagically cut over to another link.
so far so awesome.
however, as i said the internet links are very unstable, and sometimes just blackhole. so what i was hoping to do is just enable keepalives on the gre tunnel. which sadly seems to be cisco only.
can anyone suggest a way of detecting if the GRE is not fully connected ? BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) and for the life of me i cannot find how to detect if a GRE tunnel is 'connected', it seems to just blindly send packets to the remote IP. is my only choice to use L2TP instead ?
thanks in advance for any suggestions; PS if i'm on the wrong list i'd welcome a friendly push to the correct list
-- Matthias Cramer, Erachfeldstrasse 1b, CH-8180 Bülach http://www.freestone.net GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
It's OSPF, and it has the setting tick 2; but even after 2 seconds the lossy link is not detected tcpdump definitely confirms that traffic is sending on routerA down vpn0 but not receiving at the routerB vpn0 the issue is showing up with SIP phones that are using the vpn, and the udp stream continues to push out through the lossy link. however new connections are then sent via another i.e. vpn1 On 09/05/2013 04:30 PM, Matthias Cramer wrote:
Hi
What routing protocol do you run ? Would it be possible to just lower the hellos in the used protocoll so it detects a link loss faster ?
Regards
Matthias
On 05/09/13 17:07, thegeezer wrote:
Howdy all, i was wondering if anyone has any idea if there is a means by which i can detect GRE link state ?
what i have is two sites each with two very unstable internet links in order to vpn between them i have ipsec tunnels linking each side twice (four ipsec tunnels in total) i then have 4x GRE tunnels over the top of those in order that i have a secured routable VPN this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 finally i run BIRD over the top which works very well, and synchronises routing tables between the two sites, and allows for me to do such fun as # /etc/init.d/net.vpn0 stop and watch all traffic automagically cut over to another link.
so far so awesome.
however, as i said the internet links are very unstable, and sometimes just blackhole. so what i was hoping to do is just enable keepalives on the gre tunnel. which sadly seems to be cisco only.
can anyone suggest a way of detecting if the GRE is not fully connected ? BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) and for the life of me i cannot find how to detect if a GRE tunnel is 'connected', it seems to just blindly send packets to the remote IP. is my only choice to use L2TP instead ?
thanks in advance for any suggestions; PS if i'm on the wrong list i'd welcome a friendly push to the correct list
Hello GRE is connectionless, so there is no such thing as connected or disconnected GRE tunnel. I would prefer (and suggest) GRE (or IPIP) before any stateful tunnel like L2TP. On Thu, Sep 05, 2013 at 04:58:09PM +0100, thegeezer wrote:
It's OSPF, and it has the setting tick 2; but even after 2 seconds the lossy link is not detected
Tick does something different, do not set it (keep it on default value 1). You want these OSPF interface options: hello 2; retransmit 1; dead 6; You could try some other values, but these are probably minimal sane values, -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
OK thanks very much. I will give this a go and let you know :)
Hello
GRE is connectionless, so there is no such thing as connected or disconnected GRE tunnel. I would prefer (and suggest) GRE (or IPIP) before any stateful tunnel like L2TP.
On Thu, Sep 05, 2013 at 04:58:09PM +0100, thegeezer wrote:
It's OSPF, and it has the setting tick 2; but even after 2 seconds the lossy link is not detected
Tick does something different, do not set it (keep it on default value 1). You want these OSPF interface options:
hello 2; retransmit 1; dead 6;
You could try some other values, but these are probably minimal sane values,
-- Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (4)
-
Matthias Cramer -
Ondrej Zajicek -
thegeezer -
thegeezer@thegeezer.net