… | |
… | |
237 | other programs. |
237 | other programs. |
238 | |
238 | |
239 | The default is 47 (GRE), which has a good chance of tunneling |
239 | The default is 47 (GRE), which has a good chance of tunneling |
240 | through firewalls (but note that gvpe's rawip protocol is not GRE |
240 | through firewalls (but note that gvpe's rawip protocol is not GRE |
241 | compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 |
241 | compatible). Other common choices are 50 (IPSEC, ESP), 51 (IPSEC, AH), 4 |
242 | (IPIP tunnels) or 98 (ENCAP, rfc1241) |
242 | (IPIP tunnels) or 98 (ENCAP, rfc1241). |
|
|
243 | |
|
|
244 | Many versions of Linux seem to have a bug that causes them to reorder |
|
|
245 | packets for some ip protocols (GRE, ESP) but not for others (AH), so |
|
|
246 | choose wisely (that is, use 51, AH). |
243 | |
247 | |
244 | =item http-proxy-host = hostname/ip |
248 | =item http-proxy-host = hostname/ip |
245 | |
249 | |
246 | The C<http-proxy-*> family of options are only available if gvpe was |
250 | The C<http-proxy-*> family of options are only available if gvpe was |
247 | compiled with the C<--enable-http-proxy> option and enable tunneling of |
251 | compiled with the C<--enable-http-proxy> option and enable tunneling of |
… | |
… | |
314 | is established (even on rekeying operations). Note that node-up/down |
318 | is established (even on rekeying operations). Note that node-up/down |
315 | scripts will be run asynchronously, but execution is serialised, so there |
319 | scripts will be run asynchronously, but execution is serialised, so there |
316 | will only ever be one such script running. |
320 | will only ever be one such script running. |
317 | |
321 | |
318 | In addition to all the variables passed to C<if-up> scripts, the following |
322 | In addition to all the variables passed to C<if-up> scripts, the following |
319 | environment variables will be set: |
323 | environment variables will be set (values are just examples): |
320 | |
324 | |
321 | =over 4 |
325 | =over 4 |
322 | |
326 | |
323 | =item DESTNODE=branch2 |
327 | =item DESTNODE=branch2 |
324 | |
328 | |
325 | The name of the remote node. |
329 | The name of the remote node. |
326 | |
330 | |
327 | =item DESTID=2 |
331 | =item DESTID=2 |
328 | |
332 | |
329 | The node id of the remote node. |
333 | The node id of the remote node. |
|
|
334 | |
|
|
335 | =item DESTSI=rawip/88.99.77.55:0 |
|
|
336 | |
|
|
337 | The "socket info" of the target node, protocol dependent but usually in |
|
|
338 | the format protocol/ip:port. |
330 | |
339 | |
331 | =item DESTIP=188.13.66.8 |
340 | =item DESTIP=188.13.66.8 |
332 | |
341 | |
333 | The numerical IP address of the remote node (gvpe accepts connections from |
342 | The numerical IP address of the remote node (gvpe accepts connections from |
334 | everywhere, as long as the other node can authenticate itself). |
343 | everywhere, as long as the other node can authenticate itself). |
335 | |
344 | |
336 | =item DESTPORT=655 # deprecated |
345 | =item DESTPORT=655 # deprecated |
337 | |
346 | |
338 | The UDP port used by the other side. |
347 | The protocol port used by the other side, if applicable. |
339 | |
348 | |
340 | =item STATE=UP |
349 | =item STATE=up |
341 | |
350 | |
342 | Node-up scripts get called with STATE=UP, node-down scripts get called |
351 | Node-up scripts get called with STATE=up, node-change scripts get called |
343 | with STATE=DOWN. |
352 | with STATE=change and node-down scripts get called with STATE=down. |
344 | |
353 | |
345 | =back |
354 | =back |
346 | |
355 | |
347 | Here is a nontrivial example that uses nsupdate to update the name => ip |
356 | Here is a nontrivial example that uses nsupdate to update the name => ip |
348 | mapping in some DNS zone: |
357 | mapping in some DNS zone: |
… | |
… | |
352 | echo update delete $DESTNODE.lowttl.example.net. a |
361 | echo update delete $DESTNODE.lowttl.example.net. a |
353 | echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
362 | echo update add $DESTNODE.lowttl.example.net. 1 in a $DESTIP |
354 | echo |
363 | echo |
355 | } | nsupdate -d -k $CONFBASE:key.example.net. |
364 | } | nsupdate -d -k $CONFBASE:key.example.net. |
356 | |
365 | |
|
|
366 | =item node-change = relative-or-absolute-path |
|
|
367 | |
|
|
368 | Same as C<node-change>, but gets called whenever something about a |
|
|
369 | connection changes (such as the source IP address). |
|
|
370 | |
357 | =item node-down = relative-or-absolute-path |
371 | =item node-down = relative-or-absolute-path |
358 | |
372 | |
359 | Same as C<node-up>, but gets called whenever a connection is lost. |
373 | Same as C<node-up>, but gets called whenever a connection is lost. |
360 | |
374 | |
361 | =item pid-file = path |
375 | =item pid-file = path |
… | |
… | |
379 | |
393 | |
380 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
394 | Sets the rekeying interval in seconds (default: C<3600>). Connections are |
381 | reestablished every C<rekey> seconds, making them use a new encryption |
395 | reestablished every C<rekey> seconds, making them use a new encryption |
382 | key. |
396 | key. |
383 | |
397 | |
|
|
398 | =item nfmark = integer |
|
|
399 | |
|
|
400 | This advanced option, when set to a nonzero value (default: C<0>), tries |
|
|
401 | to set the netfilter mark (or fwmark) value on all sockets gvpe uses to |
|
|
402 | send packets. |
|
|
403 | |
|
|
404 | This can be used to make gvpe use a different set of routing rules. For |
|
|
405 | example, on GNU/Linux, the C<if-up> could set C<nfmark> to 1000 and then |
|
|
406 | put all routing rules into table C<99> and then use an ip rule to make |
|
|
407 | gvpe traffic avoid that routing table, in effect routing normal traffic |
|
|
408 | via gvpe and gvpe traffic via the normal system routing tables: |
|
|
409 | |
|
|
410 | ip rule add not fwmark 1000 lookup 99 |
|
|
411 | |
384 | =back |
412 | =back |
385 | |
413 | |
386 | =head2 NODE SPECIFIC SETTINGS |
414 | =head2 NODE SPECIFIC SETTINGS |
387 | |
415 | |
388 | The following settings are node-specific, that is, every node can have |
416 | The following settings are node-specific, that is, every node can have |
… | |
… | |
396 | |
424 | |
397 | Allow direct connections to this node. See C<deny-direct> for more info. |
425 | Allow direct connections to this node. See C<deny-direct> for more info. |
398 | |
426 | |
399 | =item compress = yes|true|on | no|false|off |
427 | =item compress = yes|true|on | no|false|off |
400 | |
428 | |
|
|
429 | For the current node, this specified whether it will accept compressed |
|
|
430 | packets, and for all other nodes, this specifies whether to try to |
401 | Wether to compress data packets sent to this node (default: C<yes>). |
431 | compress data packets sent to this node (default: C<yes>). Compression is |
402 | Compression is really cheap even on slow computers and has no size |
432 | really cheap even on slow computers, has no size overhead at all and will |
403 | overhead at all, so enabling this is often a good idea. |
433 | only be used when the other side supports compression, so enabling this is |
|
|
434 | often a good idea. |
404 | |
435 | |
405 | =item connect = ondemand | never | always | disabled |
436 | =item connect = ondemand | never | always | disabled |
406 | |
437 | |
407 | Sets the connect mode (default: C<always>). It can be C<always> (always |
438 | Sets the connect mode (default: C<always>). It can be C<always> (always |
408 | try to establish and keep a connection to the given node), C<never> |
439 | try to establish and keep a connection to the given node), C<never> |
… | |
… | |
534 | The value specified using this directive will be passed to the C<if-up> |
565 | The value specified using this directive will be passed to the C<if-up> |
535 | script in the environment variable C<IFUPDATA>. |
566 | script in the environment variable C<IFUPDATA>. |
536 | |
567 | |
537 | =item inherit-tos = yes|true|on | no|false|off |
568 | =item inherit-tos = yes|true|on | no|false|off |
538 | |
569 | |
539 | Wether to inherit the TOS settings of packets sent to the tunnel when |
570 | Whether to inherit the TOS settings of packets sent to the tunnel when |
540 | sending packets to this node (default: C<yes>). If set to C<yes> then |
571 | sending packets to this node (default: C<yes>). If set to C<yes> then |
541 | outgoing tunnel packets will have the same TOS setting as the packets sent |
572 | outgoing tunnel packets will have the same TOS setting as the packets sent |
542 | to the tunnel device, which is usually what you want. |
573 | to the tunnel device, which is usually what you want. |
543 | |
574 | |
544 | =item max-retry = positive-number |
575 | =item max-retry = positive-number |