The solution seems to be is to run on top of vether(4). On 3 apr 2013, at 22:54, mxb <m...@alumni.chalmers.se> wrote:
> > > Looks like multicast packets never show up on gif. > I see those packets on enc0 on both sides. > However, on one side they never show up on gif! > > Any ideas? > The "problematic side" has currently "set skip on enc0" and "pass all on > gif" in pf.conf . > > Both sides run OpenBSD 5.3. > > //mxb > > On 28 mar 2013, at 09:26, mxb <m...@alumni.chalmers.se> wrote: > >> Hello list, >> >> Anyone have a good advise on the <subject>? >> >> I currently have SiteA and SiteB with two OpenBSD machines on each end in >> active-active setup. >> I also have OSPF on top of gif(on top of IPSec) from each node and crossover >> between nodes. >> >> fw1.siteA <----gif---> fw1.siteB >> fw2.siteA <----gif---> fw2.siteB >> >> fw1.siteA <----crossover--->fw2.siteA. >> >> I occasionally experience "breakdowns" on site-to-site links. It looks like >> ospfd stops talking on gif, but gifs are up and I'm able to ping each peer. >> ipsecctl shows that tunnels are up and I can confirm this via tcpdump. "pass >> on enc0 keep state (if-bound)" should not let unencrypted traffic to escape >> anyway. >> >> My goal with this setup is to have redundancy and let OSPF to decide routing >> path. >> So the priority is not set in ospfd.conf. >> >> area 0.0.0.0 { >> >> # siteA-siteB >> interface gif0 { metric 10 } >> >> # crossover >> interface trunk0 { metric 5 } >> >> #LAN >> interface carp1 { passive } >> >> # ANYCAST >> interface lo1 { metric 5 } >> } >> >> pfsync0: flags=41<UP,RUNNING> mtu 1500 >> priority: 0 >> pfsync: syncdev: trunk0 maxupd: 128 defer: on >> groups: carp pfsync >> >> //mxb