Hello
I recently had to implement this solution and couldn't find any documentation on the Internet.
So here is it, a tested and working solution.
I have provided some explanations as comments in the configs.
So here is my topology:
Site A (the router is a Cisco box):
internal subnet - 192.168.1.0/24
default gateway for internal hosts, internal ip address of the router - 192.168.1.1
external ip address of the router - 10.0.5.2
the router's default gateway - 10.0.5.1
Site B (the router is a Linux box running Openswan):
internal subnet - 192.168.2.0/24
default gateway for internal hosts, internal ip address of the router - 192.168.2.1
external ip address of the router - 10.0.6.2
the router's default gateway - 10.0.6.1
The config on the Cisco router is below (Site A):
!
version 12.4
!
hostname R1
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key cisco12 address 10.0.6.2
!
!!! use transport mode for the IPSec tunnels when you also use GRE
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!!! the remote ipsec peer is 10.0.6.2
crypto map mymap 10 ipsec-isakmp
set peer 10.0.6.2
set transform-set myset
match address vpn-r1r2
!
!!! the GRE tunnel with the Linux box
!!! the MTU of 1420 is enough to accomodate the additional GRE and ESP headers
!!! apply the crypto map to both the physical and GRE interfaces
interface Tunnel0 ip address 99.1.2.1 255.255.255.0
ip mtu 1420
tunnel source 10.0.5.2
tunnel destination 10.0.6.2
crypto map mymap
!
!!! external interface
interface FastEthernet0/0
ip address 10.0.5.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
!!! internal interface
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
!!! default gateway for the router
ip route 0.0.0.0 0.0.0.0 10.0.5.1
!!! route for the GRE tunnel endpoint
ip route 10.0.6.2 255.255.255.255 10.0.5.1
!!! route the remote subnet through the GRE tunnel
ip route 192.168.2.0 255.255.255.0 99.1.2.2
!
!!! here is where most people make their mistakes
!!! use the example of the vpn-r1r2 access-list when defining the crypto-map
!!! define GRE traffic as the "interesting traffic"
ip access-list extended vpn-r1r2
permit gre host 10.0.5.2 host 10.0.6.2
!
!!! this ACL is worthless, do NOT define your ACL like below
ip access-list extended vpn-r1r2-mod
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
end
!
The configuration on the Linux router is below (Site B):
- the following is a script for start-up
# turn the device in a router
echo 1 > /proc/sys/net/ipv4/ip_forward
# interface config
ifconfig eth0 10.0.6.2 netmask 255.255.255.0
ifconfig eth1 192.168.2.1 netmask 255.255.255.0
# routes
route add default gw 10.0.6.1
# GRE tunnel
iptunnel add tun_test mode gre local 10.0.6.2 remote 10.0.5.2
ifconfig tun_test 99.1.2.2 pointopoint 99.1.2.1 mtu 1420
route add -host 10.0.5.2 gw 10.0.6.1
# routing
route add -net 192.168.1.0 netmask 255.255.255.0 gw 99.1.2.1
# start services
ipsec setup --start
- below is the ipsec connection in /etc/ipsec.conf
conn test
auto=start #any reboot causes immediate renegotiation
type=transport #transport mode ipsec
authby=secret #authentication
ike=3des-sha1-modp1024 #phase 1 aka isakmp sa
ikelifetime=8h #phase 1 sa lifetime
esp=3des-sha1 #phase 2 aka ipsec sa
keylife=1h #phase 2 sa lifetime
pfs=no
###our gateway
left=10.0.6.2 #the IP address of the local IPSec peer
leftnexthop=10.0.6.1 #default gateway
leftprotoport=47 #match the GRE traffic, this line is very important
###remote peer
right=10.0.5.2 #the IP address of the remote IPSec peer
rightnexthop=10.0.5.1 #peer default gateway
rightprotoport=47 #match the GRE traffic
- below is the file /etc/ipsec.secrets
10.0.6.2 10.0.5.2 : PSK "cisco12"
And voila, it works!
This solution is imho the best considering it requires only 4 extra bytes for the GRE header with transport mode IPSec, and it allows the use of routing protocols over the tunnels.
Have fun :)