GRE tunnels anyone?

Mire, John jmire at lsuhsc.edu
Tue Oct 11 14:28:36 PDT 2005


In the past, with RELEASE-4.X we had multiple tunnels coming in to our
7206VXR, I can't put my hands on the the IOS config at the moment but here's
the startup script used on the two remote boxes.

#!/bin/sh

if [ $# -eq 0 ]; then
   disable_config_ipsec="NO"
else
   if [ "$#" -eq 1 ]; then
      case "$1" in
          [Yy][Ee][Ss])
              disable_config_ipsec="YES"
              ;;
           *)
              disable_config_ipsec="NO"
              ;;
       esac
   fi
fi

#################################################################
#
# /usr/local/etc/rc.d/tunnel.sh - configure gif tunnels and ipsec
# $Id: tunnel.sh,v 1.3 2002/05/13 14:21:30 jmire Exp $
#
#################################################################

# Function definitions
f_ipsecinit1(){
        /usr/sbin/setkey -FP                #Flush the SPD entries
        /usr/sbin/setkey -F                 #Flush the SAD entries
} # end f_ipsecinit1

f_gifconfig1() {
        ifconfig $GIF destroy               # make sure gif doesn't exist
with old config
        ifconfig $GIF create                # create gif interface 
        gifconfig $GIF $BSD1_PUB $BSD2_PUB      # setup the tunnel endpoints
        ifconfig $GIF inet $BSD1_IP $BSD2_IP netmask $NETMASK # setup the
network connects inside tunnel
        route add $BSD2_NET $BSD2_IP        # setup the route
} # end f_gifconfig1

f_confipsec1() {
        /usr/sbin/setkey -c << EOF
        spdadd $BSD1_PUB $BSD2_PUB any -P out ipsec
esp/tunnel/${BSD1_PUB}-${BSD2_PUB}/require;
        spdadd $BSD2_PUB $BSD1_PUB any -P in ipsec
esp/tunnel/${BSD2_PUB}-${BSD1_PUB}/require;
EOF
} # end f_confipsec1

f_confipsec3() {
        /usr/sbin/setkey -c << EOF
        spdadd $BSD1_NET $BSD2_NET any -P out ipsec
esp/tunnel/${BSD1_IP}-${BSD2_IP}/require;
        spdadd $BSD2_NET $BSD1_NET any -P in ipsec
esp/tunnel/${BSD2_IP}-${BSD1_IP}/require;
EOF
} # end f_confipsec3

f_config-remote1() {
##############################################################
# gif0:   flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
#         tunnel inet 24.242.107.143 --> 206.176.175.6
#         inet 192.168.1.1 --> 192.168.4.1 netmask 0xffffff00 
#

# set local variables
# gif0, 24.242.107.143, 205.166.221.1, 192.168.1.1, 192.168.4.1
        local GIF="gif0"
        local BSD2_IP="192.168.4.1"
        local BSD2_NET="192.168.4.0/24"
        local BSD2_PUB="206.176.175.6"
        local BSD1_IP="192.168.1.1"
        local BSD1_NET="192.168.1.0/24"
        local BSD1_PUB="24.242.107.143"
        local NETMASK="255.255.255.0"
        f_gifconfig1 > /dev/null            # set gif0 config
        ifconfig $GIF                       # check config
        case ${disable_config_ipsec} in        
        [Nn][Oo])        
                f_confipsec1                # set policy        
                setkey -DP
                ;;
        *)
                ;;
        esac


} # end f_config-remote1

f_config-remote2() {
#############################################################
# gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
#         tunnel inet 207.254.204.147 --> 206.176.175.6
#         inet 192.168.0.5 --> 192.168.0.6 netmask 0xfffffffc 
#

# gif0, 207.254.204.147, 205.166.221.1, 192.168.0.5, 192.168.0.6
        local GIF="gif0"
        local BSD2_IP="192.168.0.6"
        local BSD2_NET="192.168.4.0/24"
        local BSD2_PUB="206.176.175.6"
        local BSD1_IP="192.168.0.5"
        local BSD1_NET="192.168.3.0/24"
        local BSD1_PUB="207.254.204.147"
        local NETMASK="255.255.255.252"
        f_gifconfig1 > /dev/null            # set gif0 config
        ifconfig $GIF                       # check config
        case ${disable_config_ipsec} in        
        [Nn][Oo])        
                f_confipsec1                # set policy        
                setkey -DP
                ;;
        *)
                ;;
        esac


} # end f_config-fosa3

# main
#############################################################

HOSTNAME=`/bin/hostname -s`

#kill racoon if running
killall racoon

f_ipsecinit1    # initialize

case $HOSTNAME in
        Remote1)
                echo $HOSTNAME
                f_config-remote1
        ;;
        Remote2)
                echo $HOSTNAME
                f_config-remote2
        ;;
esac
-----Original Message-----
From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org]
On Behalf Of Danny Howard
Sent: Tuesday, October 11, 2005 3:20 PM
To: Joshua Weaver
Cc: freebsd-net at freebsd.org; 'free bsd'
Subject: Re: GRE tunnels anyone?

On Tue, Oct 11, 2005 at 01:06:58PM -0500, Joshua Weaver wrote:
> The company I work for uses a lot of multicast tunnels, usually with a
> QOS/GRE implementation with quite pricy hardware.  I googled around a bit,
> it looks like basic vpn is supported for FreeBSD. I guess my questions are
> 
> 1.)    Does FreeBSD play well with vpn-capable routers  (like a 3Com 5012)
> 
> 2.)    Would getting acceptable latency tunneling multicast mean hardware
> that's just as expensive as a router costing thousands?

Joshua,

We run a tunnel using gif interfaces, managed by racoon.  The
performance is less than super, but I think that's a constraint of our
network resources.

My answer would be: "Why not grab a spare box and try it out?"  If the
day's diversion may lead you to saving thousands, then please spend a
little more effort and write a brief article on a blog or a journal
somewhere to help the next person who comes along asking your question.
:)

The handbook has a great chapter on how-to-setup-a-tunnel-from-scratch,
though it sounds like you don't need a lot of hand-holding.

I would LIKE to think that if we spent a bit of cash on proper VPN
hardware, that tunnel maintenance would be easier and performance might
be better.  Well, that's an aside.

Good Luck,
-danny

-- 
http://dannyman.toldme.com/
_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"


More information about the freebsd-questions mailing list