asking the same question on the bird mailing list, was recommended some values to make bird down the GRE tunnels faster. multiple tunnels are required due to the very unreliable internet, so one tunnel goes over one dsl link, another goes over another. DPD timeouts are 30seconds minimum, which is too long. i'll keep you posted if the bird recommendations works better
On 09/07/2013 07:23 PM, Mick wrote: > On Thursday 05 Sep 2013 15:49:55 thegeezer wrote: >> Howdy all, >> i was wondering if anyone has any idea if there is a means by which i >> can detect GRE link state ? >> >> what i have is two sites each with two very unstable internet links >> in order to vpn between them i have ipsec tunnels linking each side >> twice (four ipsec tunnels in total) > I am not sure why you need 4 tunnels, you could just use 1 tunnel as a > gateway > to gateway setup, but I assume that your particular network topology > satisfies > your requirements. > > >> i then have 4x GRE tunnels over the top of those in order that i have a >> secured routable VPN >> this gives me net.vpn0 net.vpn1 net.vpn2 and net.vpn3 >> finally i run BIRD over the top which works very well, and synchronises >> routing tables between the two sites, and allows for me to do such fun as >> # /etc/init.d/net.vpn0 stop >> and watch all traffic automagically cut over to another link. >> >> so far so awesome. >> >> however, as i said the internet links are very unstable, and sometimes >> just blackhole. so what i was hoping to do is just enable keepalives on >> the gre tunnel. which sadly seems to be cisco only. > I'm no Cisco expert, but I thought that the keepalives are disabled when you > use IPSec, because IPSec had Dead Peer Detection for this purpose? > > >> can anyone suggest a way of detecting if the GRE is not fully connected ? >> BIRD only fails over if the net.vpn0 device is down (ifconfig up/down) >> and for the life of me i cannot find how to detect if a GRE tunnel is >> 'connected', it seems to just blindly send packets to the remote IP. >> is my only choice to use L2TP instead ? > Set your IKE lifetime to something like 86400 sec and your SA lifetime at > something like 3600, with dpd enabled and it should (hopefully) work. L2TP > is > not needed. >
