From owner-freebsd-net@freebsd.org Sun Aug 16 14:21:25 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9ED149BAB53 for ; Sun, 16 Aug 2015 14:21:25 +0000 (UTC) (envelope-from james@lottspot.com) Received: from mx0.lottspot.com (sfo.lottspot.com [198.199.98.33]) by mx1.freebsd.org (Postfix) with ESMTP id 86FCB1CBB for ; Sun, 16 Aug 2015 14:21:25 +0000 (UTC) (envelope-from james@lottspot.com) Received: from localhost (localhost [127.0.0.1]) by mail.lottspot.com (Postfix) with ESMTP id A0A8641277 for ; Sun, 16 Aug 2015 07:21:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lottspot.com; h= content-type:content-type:content-transfer-encoding:mime-version :references:in-reply-to:user-agent:organization:message-id:date :date:subject:subject:from:from:received:received; s=mail; t= 1439734824; bh=fIpVSZgl7r3n+mp5Tknwmm5xjuqg8cB1WlHYg8zV4pc=; b=K KeLxjKSadQmVudjDxwprL2efh7KkxuL0e/8T+l82e3hXm9c41Lk4VJ6vr8W9xFt5 WqZl8Q6Bzjoi1VBA9YPlkUTQosrHosFFD6gPPx0d5xRQ0PL2tOCd+RFXAQrtEsNA Iytu6JGX+TBV4DxdPFSzUzvOCtwFHyBvbHluhg7630= X-Virus-Scanned: amavisd-new at lottspot.com Received: from mx0.lottspot.com ([127.0.0.1]) by localhost (mail.lottspot.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id GD4Rdk4uhqBw for ; Sun, 16 Aug 2015 07:20:24 -0700 (PDT) Received: from arch_project.localnet (h69-131-58-73.nrfdvt.dsl.dynamic.tds.net [69.131.58.73]) by mx0.lottspot.com (Postfix) with ESMTPSA id 80F0B41265 for ; Sun, 16 Aug 2015 07:20:23 -0700 (PDT) From: James Lott To: freebsd-net@freebsd.org Subject: Re: Ethernet tunneling options under FreeBSD Date: Sun, 16 Aug 2015 07:20:17 -0700 Message-ID: <4557283.4pSJrcFaUO@arch_project> Organization: LottSpot User-Agent: KMail/4.14.10 (Linux/4.1.4-1-ARCH; KDE/4.14.10; x86_64; ; ) In-Reply-To: <55D0961C.7090107@freebsd.org> References: <55CD1CE6.2010502@lottspot.com> <3236701.dypBHjs8Lg@arch_project> <55D0961C.7090107@freebsd.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Aug 2015 14:21:25 -0000 > > I have, in the past used UDP packets to encapsulate ethernet frames, > and tunnelled them over a PPP link using mpd. > I don't have specifics any more. I think there may be support in > Openvpn for what you want but I've never tried it. > How interesting.. That is definitely something worth looking into then. OpenVPN is fine, and I will probably use it as a component in the big picture of my solution, but it's honestly not my favorite solution to manage, so I would prefer to have as few clients on it as possible. Although I really was gunning for a pure kernel space solution, what I think I'm going to end up using as the center piece of this network is tinc. It's mesh networking is really what won me over. If I could find a decent way to secure vxlans over the open internet, I would probably have gone that route instead. On Sunday, August 16, 2015 21:54:36 Julian Elischer wrote: > On 8/15/15 10:40 AM, James Lott wrote: > >> you haven't really described the network well enough.. > >> try an ascii-art diagram (don't forget to set fixed width font :-) > >> a VPN required two ends.. one is FreeBSD... what's the other? > > > > The thing is, the "other" could be any number of operating systems. I'm > > looking for a tunneling protocol with good cross-platform representation, > > but the higher priority it enduring it tunnels ethernet frames. > > > > For the sake of example we can say the other end is a FreeBSD host, since > > FreeBSD is looking like the "lowest common denominator" on this topic. > > > >> if both ends are FreeBSD there are dozens of possibilities.. > >> for example: > >> ng_eif->netgraph->ppp->ipsec->ppp->netgraph->ng_eif > >> > >> ng_eif->ng_ksock(udp)->IPsec->ng_ksock->ng_eif > > > > I'm not overly concerned with the host side interfaces. What I'm really > > concerned with is the tunneling protocol since that's what will need > > support on all of my platforms. Thus, a solution requiring netgraph on > > both ends is not an option in my case. > > > >> tap->ppp->ppp->tap > > > > I have not found any ppp implementations under FreeBSD which support BCP. > > To my understanding, that's the only method by which ethernet frames can > > be > > tunneled over ppp... if I'm wrong, please do correct me! I would love > > nothing more than to be wrong about that :) > > I have, in the past used UDP packets to encapsulate ethernet frames, > and tunnelled them over a PPP link using mpd. > I don't have specifics any more. I think there may be support in > Openvpn for what you want but I've never tried it. > > > On Friday, August 14, 2015 23:16:41 Julian Elischer wrote: > >> On 8/14/15 6:40 AM, James Lott wrote: > >>> Hello list, > >>> > >>> I am in the process of planning a build out of a L2 VPN, in which > >>> I'd like to have my primary "switch" and DHCP server be a FreeBSD > >>> system. I would like to join each new host to the VPN by > >>> establishing an IP tunnel with the primary "switch" which transports > >>> ethernet frames over the tunnel. > >> > >> you haven't really described the network well enough.. > >> try an ascii-art diagram (don't forget to set fixed width font :-) > >> a VPN required two ends.. one is FreeBSD... what's the other? > >> > >>> So far, the only protocol I have found supported by FreeBSD which > >>> seems capable of this is EtherIP. As far as I can tell, it doesn't > >>> look like there is any support for L2TPv3, and none of the PPP > >>> implementations available appear to support BCP. > >>> > >>> I'm not completely opposed to using EtherIP, but if there is > >>> something more modern which will meet my needs, I would probably try > >>> that first. So my question becomes: > >>> > >>> * Does anyone know of a method supported under FreeBSD (other than > >>> EtherIP) for tunneling ethernet over IP that they may be able to > >>> suggest I check out? > >> > >> if both ends are FreeBSD there are dozens of possibilities.. > >> for example: > >> ng_eif->netgraph->ppp->ipsec->ppp->netgraph->ng_eif > >> > >> ng_eif->ng_ksock(udp)->IPsec->ng_ksock->ng_eif > >> > >> tap->ppp->ppp->tap > >> > >>> Thanks for any suggestions! > >>> _______________________________________________ > >>> freebsd-net@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-net > >>> To unsubscribe, send any mail to "freebsd-net- unsubscribe@freebsd.org" > >> > >> _______________________________________________ > >> freebsd-net@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- James Lott