Thursday, March 01, 2018

Re: gre and ipsec

hi


i found the problem by my self , in an old post from reyk at 2011

i have to create per routing domain where therminate an ipsec tunnel an

enc interface. inside of the rdomain.


this is hard , may be it is possible to update the dokumentation ( man
ipsec ? )  about this ?

an small advice that you have care about enc interface an rdomain .

holger





Am 01.03.2018 um 20:21 schrieb Holger Glaess:
> hi
>
>
> i try to setup an gre tunnel with ipsec encryption
>
> on both sides are openbsd 6.2 stable with all patches
>
>
> if i run the gre tunnel plain without ipsec he is working as espected.
>
> if i enable the ipsec part , i see that the ipsec tunnel are
> negotiated , but
>
> the ping cant pass anymore the gre tunnel .
>
> forwarding is on
>
> gre is allow
>
> pf is disabled
>
>
> as i said , without ipsec the gre tunnel work
>
> ip addresses are only used in my lab setup.
>
> i try also with the line  "ike active esp transport proto gre"
>
> but it makes no diffrent.
>
> is there a trick to use gre together with ipsec ?
>
> holger
>
>
> config below
>
> host A
>
> isakmpd is listen "isakmpd_rtable=1"
>
>
> /etc 488>cat hostname.gre0
>
> rdomain 5
> tunneldomain 1
> 192.168.222.1 192.168.222.2 netmask 0xffffffff
> tunnel 12.5.3.116 12.5.2.116
> link0
> up
>
> /etc 489>cat ipsec.conf
> self=12.5.3.116
> remotegw=12.5.2.116
> mypw=gRe123
>
> ike active esp transport \
>         from $self to $remotegw \
>         local $self peer $remotegw \
>         main auth hmac-sha2 enc aes group modp1024 \
>         quick auth hmac-sha2 enc aes group modp1024 \
>         psk $mypw
>
>
> /etc 490>route -n -T 1 exec ipsecctl -s a
> FLOWS:
> flow esp in from 12.5.2.116 to 12.5.3.116 peer 12.5.2.116 srcid
> 12.5.3.116/32 dstid 12.5.2.116/32 type use
> flow esp out from 12.5.3.116 to 12.5.2.116 peer 12.5.2.116 srcid
> 12.5.3.116/32 dstid 12.5.2.116/32 type require
>
> SAD:
> esp transport from 12.5.2.116 to 12.5.3.116 spi 0xc489e095 auth
> hmac-sha2-256 enc aes
> esp transport from 12.5.3.116 to 12.5.2.116 spi 0xf3c7b66e auth
> hmac-sha2-256 enc aes
>
>
> /etc 491>ifconfig gre0
> gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> rdomain 5 mtu 1476
>         index 29 priority 0 llprio 3
>         groups: gre
>         tunnel: inet 12.5.3.116 -> 12.5.2.116 rdomain 1
>         inet 192.168.222.1 --> 192.168.222.2 netmask 0xffffffff
>
> Host B
>
> isakmpd is listen "isakmpd_rtable=2"
>
>
> /etc 17>cat /etc/hostname.gre0
> rdomain 1
> tunneldomain 2
> 192.168.222.2 192.168.222.1 netmask 0xffffffff
> tunnel 12.5.2.116 12.5.3.116
> link0 up
>
>
> /etc 18>cat /etc/ipsec.conf
> self=12.5.2.116
> remotegw=12.5.3.116
> mypw=gRe123
>
> ike active esp transport \
>         from $self to $remotegw \
>         local $self peer $remotegw \
>         main auth hmac-sha2 enc aes group modp1024 \
>         quick auth hmac-sha2 enc aes group modp1024 \
>         psk $mypw
>
>
> /etc 19>route -n -T 2 exec ipsecctl -s a
> FLOW
> flow esp in from 12.5.3.116 to 12.5.2.116 peer 12.5.3.116 srcid
> 12.5.2.116/32 dstid 12.5.3.116/32 type use
> flow esp out from 12.5.2.116 to 12.5.3.116 peer 12.5.3.116 srcid
> 12.5.2.116/32 dstid 12.5.3.116/32 type require
>
> SAD:
> esp transport from 12.5.2.116 to 12.5.3.116 spi 0xc489e095 auth
> hmac-sha2-256 enc aes
> esp transport from 12.5.3.116 to 12.5.2.116 spi 0xf3c7b66e auth
> hmac-sha2-256 enc aes
>
>
> /etc 20>ifconfig gre0
> gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> rdomain 1 mtu 1476
>         index 11 priority 0 llprio 3
>         groups: gre
>         tunnel: inet 12.5.2.116 -> 12.5.3.116 rdomain 2
>         inet 192.168.222.2 --> 192.168.222.1 netmask 0xffffffff
>
>

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)