Differences

This shows you the differences between two versions of the page.

--- documentation:examples:gre_ipsec_and_openvpn [2020/01/13 14:17] – [Router 2] olivier
+++ documentation:examples:gre_ipsec_and_openvpn [2020/09/15 16:21] – [Router 2] olivier
@@ Line 238: / Line 238: @@
 If you have previous gre configuration from the gre example: remove them.
-Here is the line to ADD to /etc/rc.conf file:
 <code>
@@ Line 252: / Line 250: @@
 service routing restart
 config save
+</code>
+Take care of avoiding fragmentation, TCP-MSS should be reduced on a gif using inet6, like with this pf.conf example:
+<code>
+[root@VM2]~# cat /etc/pf.conf
+set skip on lo0
+scrub on gif1 inet all max-mss 1200
+scrub on gif1 inet6 all max-mss 1180
+pass
 </code>
 ==== Router 4 ====
@@ Line 257: / Line 264: @@
 Configure the 2 gif tunnel using VM2 addresses as end-point.
-Here are the changes to apply to rc file:
 <code>
 sysrc cloned_interfaces="gif0 gif1"
@@ Line 1054: / Line 1060: @@
 passwd
 </code>
-==== VM4: OpenVPN client ====
-As OpenVPN client, VM4 should get these files from VM2 and put them in /usr/local/etc/openvpn:
+Now Generate client configuration file with embedded certificates:
-  * ca.crt
-  * VM4.crt
-  * VM4.key
-On this lab, scp can be used for getting these files:
 <code>
-mkdir /usr/local/etc/openvpn
+cat > /usr/local/etc/openvpn/VM4-openvpn.conf <<'EOF'
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/ca.crt /usr/local/etc/openvpn
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/issued/VM4.crt /usr/local/etc/openvpn
-scp 10.0.23.2:/usr/local/etc/easy-rsa/pki/private/VM4.key /usr/local/etc/openvpn
-</code>
-Configure openvpn as a client:
-<code>
-cat > /usr/local/etc/openvpn/openvpn.conf <<'EOF'
 client
 dev tun
 remote 10.0.23.2
-ca ca.crt
+<ca>
-cert VM4.crt
-key VM4.key
 'EOF'
+cat /usr/local/etc/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf
+echo '</ca>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
+echo '<cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
+cat /usr/local/etc/easy-rsa/pki/issued/VM4.crt >> /usr/local/etc/openvpn/VM4-openvpn.conf
+echo '</cert>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
+echo '<key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
+cat /usr/local/etc/easy-rsa/pki/private/VM4.key >> /usr/local/etc/openvpn/VM4-openvpn.conf
+echo '</key>' >> /usr/local/etc/openvpn/VM4-openvpn.conf
 </code>
+==== VM4: OpenVPN client ====
+As OpenVPN client, VM4 should get its openvpn configuration file (that embedded certificate and key) from VM2 and put them in /usr/local/etc/openvpn.
+On this lab, scp can be used for getting these files:
+<code>
+mkdir /usr/local/etc/openvpn
+scp 10.0.23.2:/usr/local/etc/openvpn/vm4-openvpn.conf /usr/local/etc/openvpn/openvpn.conf
+</code>
 Enable and start openvpn:
@@ Line 1222: / Line 1230: @@
 Pinging VM5 from VM1:
+<code>
+[root@VM1]~# ping -c2 10.0.45.5
+PING 10.0.45.5 (10.0.45.5): 56 data bytes
+bytes from 10.0.45.5: icmp_seq=0 ttl=62 time=2.135 ms
+bytes from 10.0.45.5: icmp_seq=1 ttl=62 time=0.783 ms
+--- 10.0.45.5 ping statistics ---
+packets transmitted, 2 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 0.783/1.459/2.135/0.676 ms
+[root@VM1]~# ping6 -c2 2001:db8:45::5
+PING6(56=40+8+8 bytes) 2001:db8:12::1 --> 2001:db8:45::5
+bytes from 2001:db8:45::5, icmp_seq=0 hlim=62 time=1.779 ms
+bytes from 2001:db8:45::5, icmp_seq=1 hlim=62 time=0.764 ms
+--- 2001:db8:45::5 ping6 statistics ---
+packets transmitted, 2 packets received, 0.0% packet loss
+round-trip min/avg/max/std-dev = 0.764/1.272/1.779/0.507 ms
+</code>