Open source multipoint VPN with VyOS

Connected Mesh


The list of limitations grows: VRRP on VyOS hates IPv6 addresses. Also the VPN tunnel accepts only an IPv6 address if it doesn't operate in multipoint mode. In summary, IPv6 in VyOS is absolutely not ready for prime time.

Optimization: Timer Tuning

Keep the time to recover from a failure at a minimum by fine-tuning timers and thresholds. Low values for a keepalive interval should only be used for a stable Internet link; otherwise, every lost packet will trigger a failover.

All values for VRRP, OSPF, and the Dead Peer Detection (DPD) for VPN must work hand in hand. For VRRP, a small timeout is acceptable because the LAN has virtually no packet loss. The idea behind DPD is to detect an inactive or faulty tunnel and to rebuild the tunnel before OSPF notices and starts a failover.

DPD and OSPF operate in the WAN and require higher timeouts. A good start is 30 seconds for DPD and 40 seconds for OSPF. If the DMVPN environment is running smoothly, try to lower the values. If the WAN is flappy and unstable, also try timeouts greater than a minute. Sometimes it is just about trying which values works best.

Which MTU Is the Best?

An IPsec VPN has lots of headers (Table 1; Figure 4). The size depends on the WAN technology and chosen cryptographic algorithm. Despite their size, they have one thing in common: They reduce the maximum transmission unit (MTU). However, don't ignore the MTU setting, because OSPF expects the same MTU value on both ends of a link, and an inappropriate MTU can lower the throughput of the VPN tunnel.

Table 1

GRE Tunnel with IPsec Headers

Header Size (bytes)
IPv4 20
   GRE 8
   IPv4 20
       ESP 40
       IPv4 20
           PPPoE 8
Total 112
Figure 4: A small packet contains more header than data.

To pick an MTU value, you can use one of two ways: (1) choose a low but safe value of 1,400 bytes or (2) calculate the MTU with a web-based MTU calculator [8] and test it. When applied to the tunnel, validate the setting with:

ping IP -l 1450 -f

The demonstration network uses an MTU of 1,450 bytes.

A third option to detect the MTU automatically with Path MTU Discovery was not reliable during lab testing and has introduced issues when forming OSPF neighborships.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus