What are possibilities in Linux kernel (?) to work with Cisco endpoint encorporating GRE keep-alives? We have GRE IPsec tunnel set up with another company. We would like to have backup tunnel which should be active when main one dies. So they enable GRE keep-alives on the first one which will detect failure and switch routing to the backup tunnel. We are dependent on technology proposed by them (another solutions can't be used). How can we accomplish such communication? I was surprised finding nothing about it in iproute2 nor kernel. Only this popped up, but it does not seem to be reliable for production use.
UPDATE:
Our current configuration is:
- Ubuntu server 14.04 LTS, kernel 3.13.0-24-generic
- racoon and setkey daemon for managing IPsec
- iproute2 for bringing tunnel up in gre mode
We must use GRE keep-alives. They told us there is no way (well, not technically, but I guess it's their policy) to establish backup tunnel unless we enable keep-alives.
The question is, is it possible using server configuration mentioned above?
Best Answer
This is related only partially to keepalives. Basically you need to establish a second GRE tunnel and implement some mechanism to detect tunnel failures (though it can be done with keepalives, usually it's done with HELO protocol messages or BFD protocol layer on top of dynamic routing, designed especially for this purpose). A common approach will be using any sort of dynamic routing, but not RIP (regardless of it's version) - since RIP isn't suited for multi-path operations and basically holds only one route for a destination. OSPF will be fine, EIGRP (but since it's proprietary, you cannot use it on Linux since there's no open implementations of it), IS-IS, iBGP.
You can also consider getting rid of GRE and implement a VTI tunnel, since Linux kernel is capable of it.