I achieved to implement the site-to-site vpn via sec0.
ospfd works on sec0.
A couple of comments:
when sec0 is created, the default mtu is 1280.
I changed this value to 1500 and tested with
ping -D -s ....
I see that the max mtu is 1446, when the underlay network has mtu 1500.
So, a scrub ( max-mss 1406 ) should be configured in PF for outgoing
connections.
sec0 is quite better than enc0 in this: enc0 has max mtu 1444.
Anyway, AFAIK, sec(4) is a quite new interface, so, I'm wondering if a
fragment
reassembly could be possible, to reach max mtu 1500 on sec0.
Other interfaces, such as vxlan(4), do fragment reassembly.
Here you can find my configurations for testing.
Host1
------
# cat /etc/iked.conf
ikev2 "server1_rsa" passive \
from 192.168.4.0/30 to 192.168.4.0/30 \
local 192.168.3.111 peer 192.168.3.121 \
srcid server1.domain \
iface sec0
# cat /etc/hostname.sec0
mtu 1446
192.168.4.1 192.168.4.2 netmask 0xfffffffc
up
Host2
------
# cat /etc/iked.conf
ikev2 'server2_rsa' active \
from 192.168.4.0/30 to 192.168.4.0/30 \
peer 192.168.3.111 \
srcid server2.domain \
iface sec0
# cat /etc/hostname.sec0
mtu 1446
192.168.4.2 192.168.4.1 netmask 0xfffffffc
up
Il giorno ven 20 set 2024 alle ore 03:16 David Gwynne <da...@gwynne.id.au>
ha scritto:
> On Thu, Sep 19, 2024 at 10:57:42PM +0200, Luca Di Gregorio wrote:
> > I'm running 7.5, I see this alert:
> >
> > # ifconfig sec0 create
> > # ifconfig sec0 tunnel 169.254.229.42/30 169.254.229.41
>
> sorry, this should read:
>
> # ifconfig sec0 inet 169.254.229.42/30 169.254.229.41
>
> i just committed a fix to the manpage.
>
> > ifconfig: error in parsing address string: non-recoverable failure in
> name
> > resolution
> >
> > I can't configure sec0
> >
> > Il giorno gio 19 set 2024 alle ore 21:32 Luca Di Gregorio <
> luc...@gmail.com>
> > ha scritto:
> >
> > > Thanks a lot,
> > >
> > > I'll try it tomorrow. Unfortunately I won't attend EuroBSDCon,
> > > anyway, thanks a lot for the invite.
> > >
> > > Il giorno gio 19 set 2024 alle ore 21:23 Jason Tubnor <
> ja...@tubnor.net>
> > > ha scritto:
> > >
> > >> Use sec(4) for this. Don???t use enc for anything except inspection.
> If you
> > >> are at EuroBSDCon this weekend, come to my talk as I???ll be diving
> into this
> > >> exact subject.
> > >>
> > >> Cheers,
> > >>
> > >> Jason.
> > >>
> > >> Sent from my iPhone
> > >>
> > >> On 19 Sep 2024, at 7:16???PM, Luca Di Gregorio <luc...@gmail.com>
> wrote:
> > >>
> > >> ???
> > >> I configured a site-to-site vpn with ike2,
> > >> it works for unicast traffic.
> > >>
> > >> I need to enable ospf on the 2 hosts via enc0, but
> > >> ifconfig enc0 shows:
> > >>
> > >> enc0: flags=41<UP,RUNNING>
> > >> index 2 priority 0 llprio 3
> > >> groups: enc
> > >> status: active
> > >> inet .......
> > >>
> > >> So, ospfd shows, in /var/log/daemon:
> > >>
> > >> ospfd[53563]: if_join_group: error IP_ADD_MEMBERSHIP, interface enc0
> > >> address 224.0.0.5: Can't assign requested address
> > >>
> > >> How can I set the flag MULTICAST on enc0?
> > >> man ifconfig doesn't say how to to it.
> > >>
> > >>
>
