Re: racoon, IKEv1 and multiple ipsec clients behind NAT

["Mathew, Cherry G." <c%bow.st@localhost>]

On October 20, 2022 4:16:45 PM UTC, Gert Doering <gert%greenie.muc.de@localhost> wrote:
>Hi,
>
>On Thu, Oct 20, 2022 at 04:02:30PM +0000, Mathew, Cherry G. wrote:
>> On October 20, 2022 1:24:36 PM UTC, Gert Doering <gert%greenie.muc.de@localhost> wrote:
>> >On Thu, Oct 20, 2022 at 01:19:39PM +0000, Mathew, Cherry G. wrote:
>> >> In the end I went with l2tp(4) over OpenVPN over tor.
>> >
>> >What exactly are you trying to build here?
>> >
>> >As in, is there anything L2TP provides that OpenVPN can not do?
>> 
>> One of my goals is to setup a virtual lan across my devices that are physically located at various locations.  OpenVPN doesn't seem to provide this seamlessly, last I checked.
>
>It does :-) - look into --dev tap, which will provide virtual ethernet
>interfaces.  These can then be bridge(4)ed together.
>

So I remember now why I had dropped OpenVPN 'dev tap' originally - couldn't get TAP to work on NetBSD - the tap device claims "no carrrier" - but attempting to open this corresponding Dev node fails. Was there any special magic other than removing the "ifconfig" line ?

The carrot is that tap(4) and vether(4) are broadcast aware while l2tp(4) is not - only multicast aware.

>Normally you'd not use that for road warrier access type - you'd just
>designed a second IP segment for "this is VPN" and setup routing on
>all boxes involved to move packets back and forward how you need them.
>

I'm facing a separate problem - severe throughput loss (I get about 10% of either segment individually - what connects them is an npf(4) NAT.  Will MTU be a factor for this kind of traffic path ? What's a recommended size for non fragmenting transmission ? 1500octets ?

...
>We do throughput testing with iperf3, and by "plain ftp download".
>
>Do not use samba shares, as the protocol is too much impaired by latency.
>

Thank you.