On Fri, Sep 20, 2024 at 07:28:35AM +0200, Luca Di Gregorio wrote:
> I achieved to implement the site-to-site vpn via sec0.
> ospfd works on sec0.
>
> A couple of comments:
> when sec0 is created, the default mtu is 1280.
> I changed this value to 1500 and tested with
> ping -D -s ....
> I see that the max mtu is 1446, when the underlay network has mtu 1500.
> So, a scrub ( max-mss 1406 ) should be configured in PF for outgoing
> connections.
> sec0 is quite better than enc0 in this: enc0 has max mtu 1444.
>
> Anyway, AFAIK, sec(4) is a quite new interface, so, I'm wondering if a
> fragment
> reassembly could be possible, to reach max mtu 1500 on sec0.
sec(4) uses the IPsec encapsulation code as is, which copies the DF flag
from the inside packet to the outside one. there's currently no
mechanism to force DF to be set or unset at the moment.
> Other interfaces, such as vxlan(4), do fragment reassembly.
>
> Here you can find my configurations for testing.
>
> Host1
> ------
> # cat /etc/iked.conf
> ikev2 "server1_rsa" passive \
> from 192.168.4.0/30 to 192.168.4.0/30 \
> local 192.168.3.111 peer 192.168.3.121 \
> srcid server1.domain \
> iface sec0
>
> # cat /etc/hostname.sec0
> mtu 1446
> 192.168.4.1 192.168.4.2 netmask 0xfffffffc
> up
>
> Host2
> ------
> # cat /etc/iked.conf
> ikev2 'server2_rsa' active \
> from 192.168.4.0/30 to 192.168.4.0/30 \
> peer 192.168.3.111 \
> srcid server2.domain \
> iface sec0
>
> # cat /etc/hostname.sec0
> mtu 1446
> 192.168.4.2 192.168.4.1 netmask 0xfffffffc
> up
>
>
>
> Il giorno ven 20 set 2024 alle ore 03:16 David Gwynne <david@gwynne.id.au>
> ha scritto:
>
> > On Thu, Sep 19, 2024 at 10:57:42PM +0200, Luca Di Gregorio wrote:
> > > I'm running 7.5, I see this alert:
> > >
> > > # ifconfig sec0 create
> > > # ifconfig sec0 tunnel 169.254.229.42/30 169.254.229.41
> >
> > sorry, this should read:
> >
> > # ifconfig sec0 inet 169.254.229.42/30 169.254.229.41
> >
> > i just committed a fix to the manpage.
> >
> > > ifconfig: error in parsing address string: non-recoverable failure in
> > name
> > > resolution
> > >
> > > I can't configure sec0
> > >
> > > Il giorno gio 19 set 2024 alle ore 21:32 Luca Di Gregorio <
> > lucdig@gmail.com>
> > > ha scritto:
> > >
> > > > Thanks a lot,
> > > >
> > > > I'll try it tomorrow. Unfortunately I won't attend EuroBSDCon,
> > > > anyway, thanks a lot for the invite.
> > > >
> > > > Il giorno gio 19 set 2024 alle ore 21:23 Jason Tubnor <
> > jason@tubnor.net>
> > > > ha scritto:
> > > >
> > > >> Use sec(4) for this. Don???t use enc for anything except inspection.
> > If you
> > > >> are at EuroBSDCon this weekend, come to my talk as I???ll be diving
> > into this
> > > >> exact subject.
> > > >>
> > > >> Cheers,
> > > >>
> > > >> Jason.
> > > >>
> > > >> Sent from my iPhone
> > > >>
> > > >> On 19 Sep 2024, at 7:16???PM, Luca Di Gregorio <lucdig@gmail.com>
> > wrote:
> > > >>
> > > >> ???
> > > >> I configured a site-to-site vpn with ike2,
> > > >> it works for unicast traffic.
> > > >>
> > > >> I need to enable ospf on the 2 hosts via enc0, but
> > > >> ifconfig enc0 shows:
> > > >>
> > > >> enc0: flags=41<UP,RUNNING>
> > > >> index 2 priority 0 llprio 3
> > > >> groups: enc
> > > >> status: active
> > > >> inet .......
> > > >>
> > > >> So, ospfd shows, in /var/log/daemon:
> > > >>
> > > >> ospfd[53563]: if_join_group: error IP_ADD_MEMBERSHIP, interface enc0
> > > >> address 224.0.0.5: Can't assign requested address
> > > >>
> > > >> How can I set the flag MULTICAST on enc0?
> > > >> man ifconfig doesn't say how to to it.
> > > >>
> > > >>
> >
No comments:
Post a Comment