… | |
… | |
237 | other programs. |
237 | other programs. |
238 | |
238 | |
239 | The default is 47 (GRE), which has a good chance of tunneling |
239 | The default is 47 (GRE), which has a good chance of tunneling |
240 | through firewalls (but note that gvpe's rawip protocol is not GRE |
240 | through firewalls (but note that gvpe's rawip protocol is not GRE |
241 | compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 |
241 | compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 |
242 | (IPIP tunnels) or 98 (ENCAP, rfc1241) |
242 | (IPIP tunnels) or 98 (ENCAP, rfc1241). |
|
|
243 | |
|
|
244 | Many versions of Linux seem to have a bug that causes them to reorder |
|
|
245 | packets for some ip protocols (GRE, ESP) but not for others (AH), so |
|
|
246 | choose wisely (that is, use 51, AH). |
243 | |
247 | |
244 | =item http-proxy-host = hostname/ip |
248 | =item http-proxy-host = hostname/ip |
245 | |
249 | |
246 | The C<http-proxy-*> family of options are only available if gvpe was |
250 | The C<http-proxy-*> family of options are only available if gvpe was |
247 | compiled with the C<--enable-http-proxy> option and enable tunneling of |
251 | compiled with the C<--enable-http-proxy> option and enable tunneling of |
… | |
… | |
314 | is established (even on rekeying operations). Note that node-up/down |
318 | is established (even on rekeying operations). Note that node-up/down |
315 | scripts will be run asynchronously, but execution is serialised, so there |
319 | scripts will be run asynchronously, but execution is serialised, so there |
316 | will only ever be one such script running. |
320 | will only ever be one such script running. |
317 | |
321 | |
318 | In addition to all the variables passed to C<if-up> scripts, the following |
322 | In addition to all the variables passed to C<if-up> scripts, the following |
319 | environment variables will be set: |
323 | environment variables will be set (values are just examples): |
320 | |
324 | |
321 | =over 4 |
325 | =over 4 |
322 | |
326 | |
323 | =item DESTNODE=branch2 |
327 | =item DESTNODE=branch2 |
324 | |
328 | |
325 | The name of the remote node. |
329 | The name of the remote node. |
326 | |
330 | |
327 | =item DESTID=2 |
331 | =item DESTID=2 |
328 | |
332 | |
329 | The node id of the remote node. |
333 | The node id of the remote node. |
|
|
334 | |
|
|
335 | =item DESTSI=rawip/88.99.77.55:0 |
|
|
336 | |
|
|
337 | The "socket info" of the target node, protocol dependent but usually in |
|
|
338 | the format protocol/ip:port. |
330 | |
339 | |
331 | =item DESTIP=188.13.66.8 |
340 | =item DESTIP=188.13.66.8 |
332 | |
341 | |
333 | The numerical IP address of the remote node (gvpe accepts connections from |
342 | The numerical IP address of the remote node (gvpe accepts connections from |
334 | everywhere, as long as the other node can authenticate itself). |
343 | everywhere, as long as the other node can authenticate itself). |
335 | |
344 | |
336 | =item DESTPORT=655 # deprecated |
345 | =item DESTPORT=655 # deprecated |
337 | |
346 | |
338 | The UDP port used by the other side. |
347 | The protocol port used by the other side, if applicable. |
339 | |
348 | |
340 | =item STATE=UP |
349 | =item STATE=up |
341 | |
350 | |
342 | Node-up scripts get called with STATE=UP, node-down scripts get called |
351 | Node-up scripts get called with STATE=up, node-change scripts get called |
343 | with STATE=DOWN. |
352 | with STATE=change and node-down scripts get called with STATE=down. |
344 | |
353 | |
345 | =back |
354 | =back |
346 | |
355 | |
347 | Here is a nontrivial example that uses nsupdate to update the name => ip |
356 | Here is a nontrivial example that uses nsupdate to update the name => ip |
348 | mapping in some DNS zone: |
357 | mapping in some DNS zone: |
… | |
… | |
352 | echo update delete $DESTNODE.lowttl.example.net. a |
361 | echo update delete $DESTNODE.lowttl.example.net. a |
353 | echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
362 | echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
354 | echo |
363 | echo |
355 | } | nsupdate -d -k $CONFBASE:key.example.net. |
364 | } | nsupdate -d -k $CONFBASE:key.example.net. |
356 | |
365 | |
|
|
366 | =item node-change = relative-or-absolute-path |
|
|
367 | |
|
|
368 | Same as C<node-change>, but gets called whenever something about a |
|
|
369 | connection changes (such as the source IP address). |
|
|
370 | |
357 | =item node-down = relative-or-absolute-path |
371 | =item node-down = relative-or-absolute-path |
358 | |
372 | |
359 | Same as C<node-up>, but gets called whenever a connection is lost. |
373 | Same as C<node-up>, but gets called whenever a connection is lost. |
360 | |
374 | |
361 | =item pid-file = path |
375 | =item pid-file = path |
… | |
… | |
378 | =item rekey = seconds |
392 | =item rekey = seconds |
379 | |
393 | |
380 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
394 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
381 | reestablished every C<rekey> seconds, making them use a new encryption |
395 | reestablished every C<rekey> seconds, making them use a new encryption |
382 | key. |
396 | key. |
|
|
397 | |
|
|
398 | =item nfmark = integer |
|
|
399 | |
|
|
400 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
401 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
402 | send packets. |
|
|
403 | |
|
|
404 | This can be used to make gvpe use a different set of routing rules. For |
|
|
405 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
406 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
407 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
408 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
409 | |
|
|
410 | ip rule add not fwmark 1000 lookup 99 |
383 | |
411 | |
384 | =back |
412 | =back |
385 | |
413 | |
386 | =head2 NODE SPECIFIC SETTINGS |
414 | =head2 NODE SPECIFIC SETTINGS |
387 | |
415 | |