gre and ipsec

Thu, 01 Mar 2018 12:19:00 -0800 

hi


i try to setup an gre tunnel with ipsec encryption

on both sides are openbsd 6.2 stable with all patches


if i run the gre tunnel plain without ipsec he is working as espected.
if i enable the ipsec part , i see that the ipsec tunnel are negotiated , but 

the ping cant pass anymore the gre tunnel .

forwarding is on

gre is allow

pf is disabled


as i said , without ipsec the gre tunnel work

ip addresses are only used in my lab setup.

i try also with the line  "ike active esp transport proto gre"

but it makes no diffrent.

is there a trick to use gre together with ipsec ?

holger


config below

host A

isakmpd is listen "isakmpd_rtable=1"


/etc 488>cat hostname.gre0

rdomain 5
tunneldomain 1
192.168.222.1 192.168.222.2 netmask 0xffffffff
tunnel 12.5.3.116 12.5.2.116
link0
up

/etc 489>cat ipsec.conf
self=12.5.3.116
remotegw=12.5.2.116
mypw=gRe123

ike active esp transport \
        from $self to $remotegw \
        local $self peer $remotegw \
        main auth hmac-sha2 enc aes group modp1024 \
        quick auth hmac-sha2 enc aes group modp1024 \
        psk $mypw


/etc 490>route -n -T 1 exec ipsecctl -s a
FLOWS:
flow esp in from 12.5.2.116 to 12.5.3.116 peer 12.5.2.116 srcid 12.5.3.116/32 dstid 12.5.2.116/32 type use flow esp out from 12.5.3.116 to 12.5.2.116 peer 12.5.2.116 srcid 12.5.3.116/32 dstid 12.5.2.116/32 type require 

SAD:
esp transport from 12.5.2.116 to 12.5.3.116 spi 0xc489e095 auth hmac-sha2-256 enc aes esp transport from 12.5.3.116 to 12.5.2.116 spi 0xf3c7b66e auth hmac-sha2-256 enc aes 


/etc 491>ifconfig gre0
gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> rdomain 5 mtu 1476
        index 29 priority 0 llprio 3
        groups: gre
        tunnel: inet 12.5.3.116 -> 12.5.2.116 rdomain 1
        inet 192.168.222.1 --> 192.168.222.2 netmask 0xffffffff

Host B

isakmpd is listen "isakmpd_rtable=2"


/etc 17>cat /etc/hostname.gre0
rdomain 1
tunneldomain 2
192.168.222.2 192.168.222.1 netmask 0xffffffff
tunnel 12.5.2.116 12.5.3.116
link0 up


/etc 18>cat /etc/ipsec.conf
self=12.5.2.116
remotegw=12.5.3.116
mypw=gRe123

ike active esp transport \
        from $self to $remotegw \
        local $self peer $remotegw \
        main auth hmac-sha2 enc aes group modp1024 \
        quick auth hmac-sha2 enc aes group modp1024 \
        psk $mypw


/etc 19>route -n -T 2 exec ipsecctl -s a
FLOW
flow esp in from 12.5.3.116 to 12.5.2.116 peer 12.5.3.116 srcid 12.5.2.116/32 dstid 12.5.3.116/32 type use flow esp out from 12.5.2.116 to 12.5.3.116 peer 12.5.3.116 srcid 12.5.2.116/32 dstid 12.5.3.116/32 type require 

SAD:
esp transport from 12.5.2.116 to 12.5.3.116 spi 0xc489e095 auth hmac-sha2-256 enc aes esp transport from 12.5.3.116 to 12.5.2.116 spi 0xf3c7b66e auth hmac-sha2-256 enc aes 


/etc 20>ifconfig gre0
gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> rdomain 1 mtu 1476
        index 11 priority 0 llprio 3
        groups: gre
        tunnel: inet 12.5.2.116 -> 12.5.3.116 rdomain 2
        inet 192.168.222.2 --> 192.168.222.1 netmask 0xffffffff

Reply via email to