Date: Fri, 20 Feb 2004 11:00:39 +0200 From: Valentin Nechayev <netch@lucky.net> To: net@freebsd.org Subject: gre, ipsec, can't detunnel Message-ID: <20040220090039.GB58238@lucky.net>
next in thread | raw e-mail | index | archive | help
Trying to set up ipsec'ed tunnel with explicit routing to it.
Having 2 FreeBSD's (quarta - 4.9, grizzly - 5.2.1).
root@grizzly:~>>
# ifconfig gre0
gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
tunnel inet 193.193.193.138 --> 193.193.193.11
inet 10.0.0.2 --> 10.0.0.1 netmask 0xffffffff
root@quarta:~>>
# ifconfig gre1
gre1: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
tunnel inet 193.193.193.11 --> 193.193.193.138
inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
Interaction 10.0.0.1 <-> 10.0.0.2 works ok.
Adding IPSEC transport between external sides of tunnel:
root@grizzly:~>>
# less /etc/ipsec.conf
flush;
add 193.193.193.11 193.193.193.138 esp 1100 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
add 193.193.193.138 193.193.193.11 esp 1101 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
spdflush;
spdadd 193.193.193.138/32 193.193.193.11/32 any -P out ipsec esp/transport//use;
spdadd 193.193.193.11/32 193.193.193.138/32 any -P in ipsec esp/transport//use;
root@quarta:~>>
# less /etc/ipsec.conf
flush;
add 193.193.193.11 193.193.193.138 esp 1100 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
add 193.193.193.138 193.193.193.11 esp 1101 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
spdflush;
spdadd 193.193.193.11/32 193.193.193.138/32 any -P out ipsec esp/transport//use;
spdadd 193.193.193.138/32 193.193.193.11/32 any -P in ipsec esp/transport//use;
(IKE is disabled specially to simplify functioning.)
Well, all interaction of external IPs is OK, with encryption and decryption.
But interaction of internal IP's (e.g. `ping 10.0.0.2') fails.
The same setup works in the following cases:
- Encryption of packets going to GRE tunnel on FreeBSD and decryption
on Cisco 7140 (well, with des-cbc, but disabling AH between FreeBSD's
doesn't fix the problem): I see them after Cisco.
- Encryption and decryption when tunnel is switched from GRE to IPIP
(device gif).
So, the only problem side is obtaining packets from GRE after IPSEC
decryption: it fails on FreeBSD without any understandable reason.
Questions here:
1. Did anybody seen the same problem?
2. Is it relative to my setup? If yes, why Cisco 7140 is able to decrypt
and detunnel IPSEC+GRE?
Admin for this Cisco router doesn't want to select IPIP encapsulation
due to CEF problems, so I want to give maximal efforts to run it with GRE.
P.S. Tunnel IPSEC mode also doesn't help, with the same result
(Cisco can decrypt, FreeBSD can't).
-netch-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040220090039.GB58238>