From owner-freebsd-net@FreeBSD.ORG Wed Jul 9 15:45:41 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4692B106566B for ; Wed, 9 Jul 2008 15:45:41 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1053D8FC21 for ; Wed, 9 Jul 2008 15:45:40 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m69Fjcxr017720; Wed, 9 Jul 2008 11:45:39 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m69FjcP4031350 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Jul 2008 11:45:38 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200807091545.m69FjcP4031350@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 09 Jul 2008 11:45:35 -0400 To: zaphod@fsklaw.com, freebsd-net@freebsd.org From: Mike Tancsa In-Reply-To: <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> References: <8f7879db41dbaecc479a017110e8f32f.squirrel@cor> <200807040155.m641tl8s000607@lava.sentex.ca> <7904ac587e71a42fb86c2bbe77bde0ae.squirrel@cor> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Subject: Re: Tunneling issues X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 15:45:41 -0000 At 11:21 AM 7/9/2008, zaphod@fsklaw.com wrote: >I agree it should work. But it's not. With respect to the next two >questions, yes and yes. Can you post some of the configs you are using for 3 of the sites so we can perhaps spot the problem(s) you are having ? I have a similar setup with 5 sites, all talking to each other via IPSEC tunnels. Its a lot of policies, but they work just fine. >I'm not a huge fan of OpenVPN, but the bigger issue is that the gif >tunnels come up at boot up. As well as routes. Given the client server >nature of OpenVPN it is suitable, because if a server reboots, I'm not >certain a client would auto re-connect. We have ~ 400 sites running OpenVPN across Canada that all reconnect just fine after reboots / power cycles etc. We dont let the clients talk to each other, but that would just be a config change to allow that to work. ---Mike