I achieved to implement the site-to-site vpn via sec0.
# cat /etc/hostname.sec0
mtu 1446
192.168.4.2 192.168.4.1 netmask 0xfffffffc
up
ospfd works on sec0.
A couple of comments:
when sec0 is created, the default mtu is 1280.
I changed this value to 1500 and tested with
ping -D -s ....
I see that the max mtu is 1446, when the underlay network has mtu 1500.
So, a scrub ( max-mss 1406 ) should be configured in PF for outgoing connections.
sec0 is quite better than enc0 in this: enc0 has max mtu 1444.
Anyway, AFAIK, sec(4) is a quite new interface, so, I'm wondering if a fragment
reassembly could be possible, to reach max mtu 1500 on sec0.
Other interfaces, such as vxlan(4), do fragment reassembly.
Here you can find my configurations for testing.
Host1
------
# cat /etc/iked.conf
ikev2 "server1_rsa" passive \
from 192.168.4.0/30 to 192.168.4.0/30 \
local 192.168.3.111 peer 192.168.3.121 \
srcid server1.domain \
iface sec0
ikev2 "server1_rsa" passive \
from 192.168.4.0/30 to 192.168.4.0/30 \
local 192.168.3.111 peer 192.168.3.121 \
srcid server1.domain \
iface sec0
# cat /etc/hostname.sec0
mtu 1446
192.168.4.1 192.168.4.2 netmask 0xfffffffc
up
mtu 1446
192.168.4.1 192.168.4.2 netmask 0xfffffffc
up
Host2
------
# cat /etc/iked.conf
ikev2 'server2_rsa' active \
from 192.168.4.0/30 to 192.168.4.0/30 \
peer 192.168.3.111 \
srcid server2.domain \
iface sec0
ikev2 'server2_rsa' active \
from 192.168.4.0/30 to 192.168.4.0/30 \
peer 192.168.3.111 \
srcid server2.domain \
iface sec0
mtu 1446
192.168.4.2 192.168.4.1 netmask 0xfffffffc
up
Il giorno ven 20 set 2024 alle ore 03:16 David Gwynne <david@gwynne.id.au> ha scritto:
On Thu, Sep 19, 2024 at 10:57:42PM +0200, Luca Di Gregorio wrote:
> I'm running 7.5, I see this alert:
>
> # ifconfig sec0 create
> # ifconfig sec0 tunnel 169.254.229.42/30 169.254.229.41
sorry, this should read:
# ifconfig sec0 inet 169.254.229.42/30 169.254.229.41
i just committed a fix to the manpage.
> ifconfig: error in parsing address string: non-recoverable failure in name
> resolution
>
> I can't configure sec0
>
> Il giorno gio 19 set 2024 alle ore 21:32 Luca Di Gregorio <lucdig@gmail.com>
> ha scritto:
>
> > Thanks a lot,
> >
> > I'll try it tomorrow. Unfortunately I won't attend EuroBSDCon,
> > anyway, thanks a lot for the invite.
> >
> > Il giorno gio 19 set 2024 alle ore 21:23 Jason Tubnor <jason@tubnor.net>
> > ha scritto:
> >
> >> Use sec(4) for this. Don???t use enc for anything except inspection. If you
> >> are at EuroBSDCon this weekend, come to my talk as I???ll be diving into this
> >> exact subject.
> >>
> >> Cheers,
> >>
> >> Jason.
> >>
> >> Sent from my iPhone
> >>
> >> On 19 Sep 2024, at 7:16???PM, Luca Di Gregorio <lucdig@gmail.com> wrote:
> >>
> >> ???
> >> I configured a site-to-site vpn with ike2,
> >> it works for unicast traffic.
> >>
> >> I need to enable ospf on the 2 hosts via enc0, but
> >> ifconfig enc0 shows:
> >>
> >> enc0: flags=41<UP,RUNNING>
> >> index 2 priority 0 llprio 3
> >> groups: enc
> >> status: active
> >> inet .......
> >>
> >> So, ospfd shows, in /var/log/daemon:
> >>
> >> ospfd[53563]: if_join_group: error IP_ADD_MEMBERSHIP, interface enc0
> >> address 224.0.0.5: Can't assign requested address
> >>
> >> How can I set the flag MULTICAST on enc0?
> >> man ifconfig doesn't say how to to it.
> >>
> >>
No comments:
Post a Comment