Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: "Mathew, Cherry G." <c%bow.st@localhost>
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Gert Doering <gert%greenie.muc.de@localhost>
Date: Sat, 22 Oct 2022 22:57:04 +0200

Hi,

On Sat, Oct 22, 2022 at 08:09:15PM +0000, Mathew, Cherry G. wrote:
> >It does :-) - look into --dev tap, which will provide virtual ethernet
> >interfaces.  These can then be bridge(4)ed together.
> 
> So I remember now why I had dropped OpenVPN 'dev tap' originally
> - couldn't get TAP to work on NetBSD - the tap device claims "no
> carrrier" - but attempting to open this corresponding Dev node
> fails. Was there any special magic other than removing the "ifconfig"
> line ?

I haven't tried combining bridge(4), tap(4) and openvpn together in
NetBSD, so I'm not sure if that causes new and interesting caveats.

"Plain tap" is part of our openvpn CI suite on NetBSD - so that should
work just fine.

From what I just read in the manpage, it *should* work like this

 - create a bridge with "ifconfig create bridge0" (?)
 - create a tap interface with "ifconfig create tap0"
 - bridge them together with "brconfig"
    brconfig bridge0 add tap0
    brconfig bridge0 add ethernet0 << whatever the device is
 - put the LAN IP config on "bridge0"
 - run OpenVPN with "--dev tap0" (not "dev tap", which will create
   the "next free one"), so it will use the already existing tap0


> >Normally you'd not use that for road warrier access type - you'd just
> >designed a second IP segment for "this is VPN" and setup routing on
> >all boxes involved to move packets back and forward how you need them.
> 
> I'm facing a separate problem - severe throughput loss (I get about 10% of either segment individually - what connects them is an npf(4) NAT.  Will MTU be a factor for this kind of traffic path ? What's a recommended size for non fragmenting transmission ? 1500octets ?

You'll end up with fragmentation at some point, until you can manage to
get your LAN MTU below WAN - tunneling overhead.  Sometimes, WAN with
>1500 can be made to work, or you do mssfix to ensure TCP will use
small-enough packets.

gert 

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost

Follow-Ups:
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mouse
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index