On Fri, Mar 15, 2019 at 04:44:52PM +1000, David Gwynne wrote: > > > > On 15 Mar 2019, at 16:37, Otto Moerbeek <o...@drijf.net> wrote: > > > > On Fri, Mar 15, 2019 at 04:15:55PM +1000, David Gwynne wrote: > > > >> > >> > >>> On 14 Mar 2019, at 19:36, Otto Moerbeek <o...@drijf.net> wrote: > >>> > >>> Hi, > >>> > >>> So i have a little IPv6 problem. > >>> > >>> I have a machine in colocation that has IPv6. I have my home cable > >>> modem connection that does not have it. > >>> > >>> So I thought: I make my own tunnel. First I tried gif(4), that worked, > >>> but only after some fighting with mtu settings on all hosts on my home > >>> net via rad. Performance was kinda bad. So I'm looking for an > >>> alternative. I thougt: IPSEC should be able to do this. > >>> > >>> I have a flow from my locally created IPv6 net to any and vice versa. > >>> THe flow itself works. > >>> > >>> There I ran into the trouble that you cannot specify a default > >>> gateway, since my remote gw (the host in colo) it is not reachable > >>> according to route(8). > >>> > >>> How does one solve the default route problem? I never really > >>> understood how routing works in the presense of IPSEC flows. > >> > >> Can you elaborate on what gif and slow meant? Also, you should be able to > >> use gif with whatever MTU you want, even 1500 on the gif interface and > >> fragments over the internet. You could also try gre, but I doubt it would > >> be different to gif in terms of performance and support for > >> MTU/fragmentation. > >> > >> If you want ipsec and routes, you would still use tunnel and get IPsec to > >> protect it. Or you could trick someone into making something like Cisco's > >> vti a thing in OpenBSD. > >> > >> dlg > > > > gif tunnel: > > > > ifconfig gif0 inet6 2a02:898:216:3::2 2a02:898:216:3::1 prefixlen 128 > > > > and viceversa on th eother end. > > > > So gif tunnel with default options. With that it showed an an mtu of > > 1280 in ifconfig so I assumed that would be the max. I have a > > 200 Mb/s cable connection. Downloading IPv4 I reach that. With IPV6 > > often it would be 10% of that. Plus it would only work reliably if the > > hosts in my net use an mtu of 1280 (manually or via rad). > > I wonder why PMTUD isn't working in this situation. > > > I now have a ipsec tunnel and that does 55 Mb/s (APU2 on both > > ends) without any need for config on the hosts in my local net. > > Did you have to clamp your internal MTU for that to work too?
Nope, like I said nothing special. I run rand without any options on the gw and just inet6 autoconf on the hosts. > > dlg