Tunneling problem

**radus** · 04-21-2005

Hello,

I have a big problem regarding tunneling.
I have 2 servers running FreeBSD 5.2 , each server has a private network behind .
I have configured the tunnel like this:

gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 81.a.b.c --> 81.d.e.f
inet 192.168.100.4 --> 192.168.101.111 netmask 0xffffff00

and on the other :

gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 81.d.e.f --> 81.a.b.c
inet 192.168.101.111 --> 192.168.100.4 netmask 0xffffff00

Everything seems ok, but after some minutes there is no more connectivity between the two private networks ....
I observed that depends in which order I "ping" the other server...
Between the real IP's there is always connectivity and "ping" responds ok.

Any idea ?

Thanks a lot

radus

**cbogdan** · 04-21-2005

Did you route the networks ?

If I understood Your topology, then:

ifconfig gif0 create
ifconfig gif0 tunnel 81.a.b.c 81.d.e.f
ifconfig gif0 inet 192.168.100.4 192.168.101.111 netmask 255.255.255.255
route add -net 192.168.101.0/24 192.168.101.111

ifconfig gif0 create
ifconfig gif0 tunnel 81.d.e.f 81.a.b.c
ifconfig gif0 inet 192.168.101.111 192.168.100.4 netmask 255.255.255.255
route add -net 192.168.100.0/24 192.168.100.4

**radus** · 04-22-2005

Thanks cbogdan for the answer.
I made exactly what did you say, but it is the same problem. If I ping 192.168.100.4 from host B to host A, is corectly working, and for about 10 min I am able to do the same thing on the other gateway machine (ping 192.168.101.111 from host B to host A). But if I ping for the first time(or after 10 min from the first ping from the other gateway) from A to B (instead of B to A) it doesn't work and I have to wait about 10 min to have a chance to ping succesfuly from B to A
It is true that I have a firewall in front of A host, but between the real IP's there is always connectivity and "ping" responds ok.

**jlmiller** · 04-23-2005

Radus,
Not sure if this will help, but in the Cisco world of tunneling we use a keepalive directive to keep the tunnel up. Even though one is setup as the initiator. Just make sure you have a route to the remote network on both servers so that they (meaning both) knows how to get to each others network. What it sounds like to me is that since you initiated a ping from one end you've established the connection and therefore you get the response. After a period of time the link drops and if there is no traffic going through the tunnel it'll take "interesting traffic" to bring the link up again. Since the link is down from the remote network it's the same thing happening. So it appears that you need some kind of "keepalive" packet happening.

**cbogdan** · 04-23-2005

jlmiller has to be right, seems to be a keepalive problem. Try to
update kernel tcp_keepalive parameter (i'm not sure this will solve
the problem):

sysctl net.inet.tcp.always_keepalive: 1 and, moreover,
tcp_keepalive=YES in /etc/rc.conf

But first of all, verify every rule in your gateway/firewall which
could affect that behaviour.

Thread Tools

Display

Tunneling problem

Tunneling

Posting Permissions