Open source multipoint VPN with VyOS

Connected Mesh

IPv6

The list of limitations grows: VRRP on VyOS hates IPv6 addresses. Also the VPN tunnel accepts only an IPv6 address if it doesn't operate in multipoint mode. In summary, IPv6 in VyOS is absolutely not ready for prime time.

Optimization: Timer Tuning

Keep the time to recover from a failure at a minimum by fine-tuning timers and thresholds. Low values for a keepalive interval should only be used for a stable Internet link; otherwise, every lost packet will trigger a failover.

All values for VRRP, OSPF, and the Dead Peer Detection (DPD) for VPN must work hand in hand. For VRRP, a small timeout is acceptable because the LAN has virtually no packet loss. The idea behind DPD is to detect an inactive or faulty tunnel and to rebuild the tunnel before OSPF notices and starts a failover.

DPD and OSPF operate in the WAN and require higher timeouts. A good start is 30 seconds for DPD and 40 seconds for OSPF. If the DMVPN environment is running smoothly, try to lower the values. If the WAN is flappy and unstable, also try timeouts greater than a minute. Sometimes it is just about trying which values works best.

Which MTU Is the Best?

An IPsec VPN has lots of headers (Table 1; Figure 4). The size depends on the WAN technology and chosen cryptographic algorithm. Despite their size, they have one thing in common: They reduce the maximum transmission unit (MTU). However, don't ignore the MTU setting, because OSPF expects the same MTU value on both ends of a link, and an inappropriate MTU can lower the throughput of the VPN tunnel.

Table 1

GRE Tunnel with IPsec Headers

Header Size (bytes)
TCP/UDP 20
IPv4 20
   GRE 8
   IPv4 20
       ESP 40
       IPv4 20
           PPPoE 8
Total 112
Figure 4: A small packet contains more header than data.

To pick an MTU value, you can use one of two ways: (1) choose a low but safe value of 1,400 bytes or (2) calculate the MTU with a web-based MTU calculator [8] and test it. When applied to the tunnel, validate the setting with:

ping IP -l 1450 -f

The demonstration network uses an MTU of 1,450 bytes.

A third option to detect the MTU automatically with Path MTU Discovery was not reliable during lab testing and has introduced issues when forming OSPF neighborships.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Routing with Quagga

    Cisco and Juniper have implemented routing protocols to help your router find the optimum path. On Linux, you can use software like Quagga, with its Zebra daemon, to help automate this process.

  • Flexible software routing with open source FRR
    The FRR open routing stack can be integrated into many networks because it supports a large number of routing protocols, though its strong dependence on the underlying kernel means it requires some manual configuration.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Border Gateway Protocol
    We look at the Border Gateway Protocol, how it routes packets through the Internet, its weaknesses, and some hardening strategies.
comments powered by Disqus