GRE tunnels anyone?
Mire, John
jmire at lsuhsc.edu
Tue Oct 11 14:28:36 PDT 2005
In the past, with RELEASE-4.X we had multiple tunnels coming in to our
7206VXR, I can't put my hands on the the IOS config at the moment but here's
the startup script used on the two remote boxes.
#!/bin/sh
if [ $# -eq 0 ]; then
disable_config_ipsec="NO"
else
if [ "$#" -eq 1 ]; then
case "$1" in
[Yy][Ee][Ss])
disable_config_ipsec="YES"
;;
*)
disable_config_ipsec="NO"
;;
esac
fi
fi
#################################################################
#
# /usr/local/etc/rc.d/tunnel.sh - configure gif tunnels and ipsec
# $Id: tunnel.sh,v 1.3 2002/05/13 14:21:30 jmire Exp $
#
#################################################################
# Function definitions
f_ipsecinit1(){
/usr/sbin/setkey -FP #Flush the SPD entries
/usr/sbin/setkey -F #Flush the SAD entries
} # end f_ipsecinit1
f_gifconfig1() {
ifconfig $GIF destroy # make sure gif doesn't exist
with old config
ifconfig $GIF create # create gif interface
gifconfig $GIF $BSD1_PUB $BSD2_PUB # setup the tunnel endpoints
ifconfig $GIF inet $BSD1_IP $BSD2_IP netmask $NETMASK # setup the
network connects inside tunnel
route add $BSD2_NET $BSD2_IP # setup the route
} # end f_gifconfig1
f_confipsec1() {
/usr/sbin/setkey -c << EOF
spdadd $BSD1_PUB $BSD2_PUB any -P out ipsec
esp/tunnel/${BSD1_PUB}-${BSD2_PUB}/require;
spdadd $BSD2_PUB $BSD1_PUB any -P in ipsec
esp/tunnel/${BSD2_PUB}-${BSD1_PUB}/require;
EOF
} # end f_confipsec1
f_confipsec3() {
/usr/sbin/setkey -c << EOF
spdadd $BSD1_NET $BSD2_NET any -P out ipsec
esp/tunnel/${BSD1_IP}-${BSD2_IP}/require;
spdadd $BSD2_NET $BSD1_NET any -P in ipsec
esp/tunnel/${BSD2_IP}-${BSD1_IP}/require;
EOF
} # end f_confipsec3
f_config-remote1() {
##############################################################
# gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
# tunnel inet 24.242.107.143 --> 206.176.175.6
# inet 192.168.1.1 --> 192.168.4.1 netmask 0xffffff00
#
# set local variables
# gif0, 24.242.107.143, 205.166.221.1, 192.168.1.1, 192.168.4.1
local GIF="gif0"
local BSD2_IP="192.168.4.1"
local BSD2_NET="192.168.4.0/24"
local BSD2_PUB="206.176.175.6"
local BSD1_IP="192.168.1.1"
local BSD1_NET="192.168.1.0/24"
local BSD1_PUB="24.242.107.143"
local NETMASK="255.255.255.0"
f_gifconfig1 > /dev/null # set gif0 config
ifconfig $GIF # check config
case ${disable_config_ipsec} in
[Nn][Oo])
f_confipsec1 # set policy
setkey -DP
;;
*)
;;
esac
} # end f_config-remote1
f_config-remote2() {
#############################################################
# gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
# tunnel inet 207.254.204.147 --> 206.176.175.6
# inet 192.168.0.5 --> 192.168.0.6 netmask 0xfffffffc
#
# gif0, 207.254.204.147, 205.166.221.1, 192.168.0.5, 192.168.0.6
local GIF="gif0"
local BSD2_IP="192.168.0.6"
local BSD2_NET="192.168.4.0/24"
local BSD2_PUB="206.176.175.6"
local BSD1_IP="192.168.0.5"
local BSD1_NET="192.168.3.0/24"
local BSD1_PUB="207.254.204.147"
local NETMASK="255.255.255.252"
f_gifconfig1 > /dev/null # set gif0 config
ifconfig $GIF # check config
case ${disable_config_ipsec} in
[Nn][Oo])
f_confipsec1 # set policy
setkey -DP
;;
*)
;;
esac
} # end f_config-fosa3
# main
#############################################################
HOSTNAME=`/bin/hostname -s`
#kill racoon if running
killall racoon
f_ipsecinit1 # initialize
case $HOSTNAME in
Remote1)
echo $HOSTNAME
f_config-remote1
;;
Remote2)
echo $HOSTNAME
f_config-remote2
;;
esac
-----Original Message-----
From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org]
On Behalf Of Danny Howard
Sent: Tuesday, October 11, 2005 3:20 PM
To: Joshua Weaver
Cc: freebsd-net at freebsd.org; 'free bsd'
Subject: Re: GRE tunnels anyone?
On Tue, Oct 11, 2005 at 01:06:58PM -0500, Joshua Weaver wrote:
> The company I work for uses a lot of multicast tunnels, usually with a
> QOS/GRE implementation with quite pricy hardware. I googled around a bit,
> it looks like basic vpn is supported for FreeBSD. I guess my questions are
>
> 1.) Does FreeBSD play well with vpn-capable routers (like a 3Com 5012)
>
> 2.) Would getting acceptable latency tunneling multicast mean hardware
> that's just as expensive as a router costing thousands?
Joshua,
We run a tunnel using gif interfaces, managed by racoon. The
performance is less than super, but I think that's a constraint of our
network resources.
My answer would be: "Why not grab a spare box and try it out?" If the
day's diversion may lead you to saving thousands, then please spend a
little more effort and write a brief article on a blog or a journal
somewhere to help the next person who comes along asking your question.
:)
The handbook has a great chapter on how-to-setup-a-tunnel-from-scratch,
though it sounds like you don't need a lot of hand-holding.
I would LIKE to think that if we spent a bit of cash on proper VPN
hardware, that tunnel maintenance would be easier and performance might
be better. Well, that's an aside.
Good Luck,
-danny
--
http://dannyman.toldme.com/
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list