search for: apsystem

...DeviceType = tap instead of tun. the tap interface will have a Mac Address and frames will be sent with a complete L2 header. All standard L2 protocols such as ARP will work as expected as on a normal ethernet interface. Cheers Saverio 2016-01-27 10:32 GMT+01:00 mlist <mlist at apsystems.it<mailto:mlist at apsystems.it>>: > This is a vpn for Disater Recovery sites, so it is not necessary to have a seamless failover, strictly speaking. Encryption instead is mandatory. > Testing we found that on Keepalived failover remote Tinc take few seconds to reset the connectio...

I have 2 firewall in HA with keepalived. Can I use active the same tinc configuration on 2 firewalls ? using tun Interface with same ip on all 2 nodes is a problem ? tun device advertise itself on the network having an IP/MAC pairs (ARP) or the IP is only used by the system internally for routing so using the same configuration is right ? so one firewall be active, the other is passive. With this

...e tinc with DeviceType = tap instead of tun. the tap interface will have a Mac Address and frames will be sent with a complete L2 header. All standard L2 protocols such as ARP will work as expected as on a normal ethernet interface. Cheers Saverio 2016-01-27 10:32 GMT+01:00 mlist <mlist at apsystems.it>: > This is a vpn for Disater Recovery sites, so it is not necessary to have a seamless failover, strictly speaking. Encryption instead is mandatory. > Testing we found that on Keepalived failover remote Tinc take few seconds to reset the connection and correctly re-connect to the new...

...you can think of GRE tunnels that are stateless. Active/passive seamless failover for firewall cluster, requires state syncronization among the two chassis. I hope this email helps you to better approach what you are trying to do. Cheers Saverio 2016-01-27 8:31 GMT+01:00 mlist <mlist at apsystems.it>: > I think it should work at least for TUN virtual interface as TUn works at IP > level. > > This is a sample configuration. > > > > firewall1 lan = 172.16.1.11/19 (ALWAYS ACTIVE) - > "Physical Network Interface" ? system config as...

Dear all, trying to build some Heimdal-based packages for Samba AD DC under openSUSE I am facing some difficulties with the build system: During the installation which is triggered by "make install" waf complains about some task dependency cycle after leaving folder bin/default. Full log including config options can be seen unter https://build.opensuse.org/

Ok, I think synching 2 firewalls are best solution with keepalived active/passive HA, too. I'll try this solution to see if all goes straitforward between failover/failback and tinc communications. Thank you Guus. Best regards Roberto -----Original Message----- From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen Sent: venerd? 22 gennaio 2016 10.24 To: tinc at

I tested a little more... tincd does not create virtual interface device correctly on CentOS 7, I don't know where tincd stop, probably on " System call `getaddrinfo' failed: Name or service not known" I sent you before. Keepalived return that error I shown on every ip command but this is not a problem now, I'll see this as soon as possible. If I execute these commands tun

It is possible for tinc to made a persistent tun/tap or can I configure a persistent tun/tap by hand and tell to tinc to use that virtual interface device without starting up/shutting down tun/tap at every tincd start/stop ? Roberto -------------- parte successiva -------------- Un allegato HTML ? stato rimosso... URL:

So we can configure a persistent tun and tinc on startup recognize this, tinc uses just present tun without problems ? Can you point me to Tinc-RedHat best practice method to do that please ? Thank you in advance Best Regards Roberto -----Original Message----- From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen Sent: domenica 24 gennaio 2016 09.53 To: tinc at

This is not the best method as one have to change all present and future scripts tinc run, but ok. Thank you Roberto -----Original Message----- From: tinc [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen Sent: marted? 26 gennaio 2016 10.13 To: tinc at tinc-vpn.org Subject: Re: Persistent tun/tap On Tue, Jan 26, 2016 at 07:25:55AM +0000, mlist wrote: > It would be nice if

I think it should work at least for TUN virtual interface as TUn works at IP level. This is a sample configuration. firewall1 lan = 172.16.1.11/19 (ALWAYS ACTIVE) - "Physical Network Interface" - system config as ifcfg-... 172.16.1.10/19 (VIP Keepalived Make active) - Active/Passive configuration with firewall2 firewall1 vpndr1

I need a second tinc vpn server (physical machine) to be up and running, so if first tinc vpn server (virtual machine) goes down we can connect to remote site to do management (remote site is not isolated). If I use 2 different tinc vpn servers on the remote sites all two connected to primary tinc sites (HQ Site), can I have a robust solution, using some route prioritization with ip route ? so I

Executing: ip tuntap add vpndrif mode tun return Keepalived errors show when tincd start: Jan 22 23:41:19 Keepalived_vrrp[1999]: Netlink: filter function error Jan 22 23:41:19 Keepalived_healthcheckers[1998]: Netlink: filter function error Jan 22 23:41:19 systemd-sysctl[23246]: Overwriting earlier assignment of kernel/shmmax in file '/etc/sysctl.d/99-sysctl.conf'. Jan 22 23:41:19

No parameters using DNS. - tinc.conf content Name = sito1 AddressFamily = ipv4 BindToAddress = <IPPUB>:665 BindToInterface = int Device=/dev/net/tun Interface = vpndrif Mode = router PingInterval = 60 PingTimeout = 5 ProcessPriority = normal - host/sito1 content Address = <IPPUB>:665 Subnet = <IPLOCAL>/<NETMASK> Port = 655 -----BEGIN RSA PUBLIC KEY----- ... -----END

I read tinc documentation part: " For Branch A BranchA would be configured like this: In /etc/tinc/company/tinc-up: # Real interface of internal network: # ifconfig eth0 10.1.54.1 netmask 255.255.0.0 ifconfig $INTERFACE 10.1.54.1 netmask 255.0.0.0 ... Note that the IP addresses of eth0 and tap0 are the same. This is quite possible, if you make sure that the netmasks of the

Hi, I have HA firewalls configuration (keepalived) on one site. Each firewall has its own IP and a Virtual IP (VIP) that keepalived activate on one of the firewall (active/passive HA configuration). I think I can set all two firewalls with same configuration, generating key pairs on one firewall and copying that to the second, so the remote host can see always one of the other firewall as the

Ok. I'm configuring my iptables scripts so that specific iptables rules for virtual network interfaces used for tinc go on tinc-up-fw and tinc-down-fw custom scripts. When I reload iptables rules manually to apply changes iptables scripts flush all chains and reapply rules and now also search in /etc/tinc/<netname>/ directories if the related virtual network interface is up and running

Yes, I know it is possible to insert iptables rule also without interface presence, but I never tested. If you tell this I trust your experience, but I prefer to have clean system configuration, so all is linked to something, without leaving unused system configuration, mainly for security components, also our firewalls have complex configuration, but using this dynamic management leave persistent

It would be nice if in a next tinc release you'll add some service variables tinc propagates to its scripts. So for example you can define in tinc.conf env variables like: SERVICE1= ... SERVICEn= and tinc will propagates all SERVICEx Variables found in tinc.conf to all scripts it calls. One can use theoretically infinite Env Var for custom behavior (like custom debug messages, conditional

I get this error starting tincd: tincd -n vpndr -d5 -D tincd 1.0.26 (Jan 22 2016 19:28:17) starting, debug level 5 /dev/net/tun is a Linux tun/tap device (tun mode) Executing script tinc-up System call `getaddrinfo' failed: Name or service not known Terminating Also keepalived return an error when tincd start. Starting as a daemon. Joutnalctl show this: Jan 22 23:14:49 systemd[1]: