Will heartbeat work if IPSec does?
Shadow Hawkins on Thursday, 22 September 2011 23:11:23
I need to have an IP6 tunnel working through a mobile 4G modem with ISP natting. I signed up for AIYAY, but it just occurred to me that I tested an IPSec tunnel, and that worked. So there is a good chance that a dynamic 6in4 would work. (But no guaranty, the ISP may very well handle protocol 50 but not protocol 41.) I have enough points to try changing the tunnel type (and then change it back again if it doesn't work), but does anyone have any experience with this situation?
Also, this tunnel goes to a backup modem that is not the default route. Is it sufficient to host route the PoP IPv4? Or do I need to route the tic server also? Is the tic server required if I am going to always use the same PoP?
Will heartbeat work if IPSec does?
Jeroen Massar on Friday, 23 September 2011 10:56:49 a mobile 4G modem with ISP natting.
If you are behind a NAT, it is a miracle if you get IPSec to work, but there are extensions to IPSec which make it possible (afaik it then goes into UDP mode actually, but I can be quite wrong there).
If AYIYA works, then why bother to swap anyway?
The TIC server is only contacted once when you startup AICCU to fetch configuration information, after that it is not needed any more.
Will heartbeat work if IPSec does?
Shadow Hawkins on Wednesday, 28 September 2011 04:26:22 If you are behind a NAT, it is a miracle if you get IPSec to work.
If protocol 50 is properly natted, it works fine. It is true that a lot of router screw this up. (Udp port 500 for key exchange of course works.)
If AYIYA works, the why bother to swap anyway?
To test the limits of things. I can test with my own static 6in4 tunnel, however. No need to "spend" points.
The TIC server is only contacted ... at startup ...
Does the TIC server have a fixed IP(s) that I can host route through the backup modem? While I will try to leave the IP6 tunnel up, the user may let the 4G activation expire. Should the power go out, and their regular ISP go down again,
they can reactivate (with a $$$ penalty of course), but the default IP4 route will still point to the regular ISP. I would like the IP6 tunnel to be able to start up without using the default IP4 route (i.e. using only host routes).
DNS shows two IPs for tic.sixxs.net. Can I just host route both of those?
Will heartbeat work if IPSec does?
Jeroen Massar on Wednesday, 28 September 2011 08:57:33 DNS shows two IPs for tic.sixxs.net. Can I just host route both of those?
Depending on availability and stability of hosts we might change that DNS entry at any one point in time, that is why we stuck it in DNS, otherwise we would have gone for IP addresses.
Will heartbeat work if IPSec does?
Shadow Hawkins on Wednesday, 28 September 2011 20:27:13 we might change that DNS entry at any one point in time
So, it sounds like the only reliable backdoor would be the dynamic 6in4 with heartbeat (assuming the router handles 6in4 correctly for DMZ NAT). Could we then host route the PoP IP4, and our IP4 could change? My static 6in4 tunnel never uses the tic server, so I'm hoping that dynamic 6in4 would never use it either.
I can test whether 6in4 is natted correctly with a temporary static 6in4 tunnel to our own server.
Will heartbeat work if IPSec does?
Jeroen Massar on Thursday, 29 September 2011 09:15:08 So, it sounds like the only reliable backdoor would be the dynamic 6in4 with heartbeat (assuming the router handles 6in4 correctly for DMZ NAT).
TIC is totally irrelevant of the tunneling protocol used. TIC only supplies the information on how to configure a tunnel (TIC = Tunnel Information and Control protocol)
My static 6in4 tunnel never uses the tic server, so I'm hoping that dynamic 6in4 would never use it either.
The TIC server is only accessed once at the start of AICCU to get the tunnel parameters, after that, it is left alone, unless you restart AICCU again.
Posting is only allowed when you are logged in. |