Looks like multicast packets never show up on gif.
I see those packets on enc0 on both sides.
However, on one side they never show up on gif!
Any ideas?
The "problematic side" has currently "set skip on enc0" and "pass all on gif"
in pf.conf .
Both sides run OpenBSD 5.3.
//mxb
On 28 mar 2013, at 09:26, mxb <m...@alumni.chalmers.se> wrote:
> Hello list,
>
> Anyone have a good advise on the <subject>?
>
> I currently have SiteA and SiteB with two OpenBSD machines on each end in
> active-active setup.
> I also have OSPF on top of gif(on top of IPSec) from each node and crossover
> between nodes.
>
> fw1.siteA <----gif---> fw1.siteB
> fw2.siteA <----gif---> fw2.siteB
>
> fw1.siteA <----crossover--->fw2.siteA.
>
> I occasionally experience "breakdowns" on site-to-site links. It looks like
> ospfd stops talking on gif, but gifs are up and I'm able to ping each peer.
> ipsecctl shows that tunnels are up and I can confirm this via tcpdump. "pass
> on enc0 keep state (if-bound)" should not let unencrypted traffic to escape
> anyway.
>
> My goal with this setup is to have redundancy and let OSPF to decide routing
> path.
> So the priority is not set in ospfd.conf.
>
> area 0.0.0.0 {
>
> # siteA-siteB
> interface gif0 { metric 10 }
>
> # crossover
> interface trunk0 { metric 5 }
>
> #LAN
> interface carp1 { passive }
>
> # ANYCAST
> interface lo1 { metric 5 }
> }
>
> pfsync0: flags=41<UP,RUNNING> mtu 1500
> priority: 0
> pfsync: syncdev: trunk0 maxupd: 128 defer: on
> groups: carp pfsync
>
> //mxb
