Hello
I recently had to implement this solution and couldn't find any documentation on the Internet.
So here is it, a tested and working solution.
I have provided some explanations as comments in the configs.
So here is my topology:
Site A (the router is a Cisco box):
internal subnet - 192.168.1.0/24
default gateway for internal hosts, internal ip address of the router - 192.168.1.1
external ip address of the router - 10.0.5.2
the router's default gateway - 10.0.5.1
Site B (the router is a Linux box running Openswan):
internal subnet - 192.168.2.0/24
default gateway for internal hosts, internal ip address of the router - 192.168.2.1
external ip address of the router - 10.0.6.2
the router's default gateway - 10.0.6.1
The config on the Cisco router is below (Site A):
!
version 12.4
!
hostname R1
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key cisco12 address 10.0.6.2
!
!!! use transport mode for the IPSec tunnels when you also use GRE
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!!! the remote ipsec peer is 10.0.6.2
crypto map mymap 10 ipsec-isakmp
set peer 10.0.6.2
set transform-set myset
match address vpn-r1r2
!
!!! the GRE tunnel with the Linux box
!!! the MTU of 1420 is enough to accomodate the additional GRE and ESP headers
!!! apply the crypto map to both the physical and GRE interfaces
interface Tunnel0 ip address 99.1.2.1 255.255.255.0
ip mtu 1420
tunnel source 10.0.5.2
tunnel destination 10.0.6.2
crypto map mymap
!
!!! external interface
interface FastEthernet0/0
ip address 10.0.5.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
!!! internal interface
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
!!! default gateway for the router
ip route 0.0.0.0 0.0.0.0 10.0.5.1
!!! route for the GRE tunnel endpoint
ip route 10.0.6.2 255.255.255.255 10.0.5.1
!!! route the remote subnet through the GRE tunnel
ip route 192.168.2.0 255.255.255.0 99.1.2.2
!
!!! here is where most people make their mistakes
!!! use the example of the vpn-r1r2 access-list when defining the crypto-map
!!! define GRE traffic as the "interesting traffic"
ip access-list extended vpn-r1r2
permit gre host 10.0.5.2 host 10.0.6.2
!
!!! this ACL is worthless, do NOT define your ACL like below
ip access-list extended vpn-r1r2-mod
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
end
!
The configuration on the Linux router is below (Site B):
- the following is a script for start-up
# turn the device in a router
echo 1 > /proc/sys/net/ipv4/ip_forward
# interface config
ifconfig eth0 10.0.6.2 netmask 255.255.255.0
ifconfig eth1 192.168.2.1 netmask 255.255.255.0
# routes
route add default gw 10.0.6.1
# GRE tunnel
iptunnel add tun_test mode gre local 10.0.6.2 remote 10.0.5.2
ifconfig tun_test 99.1.2.2 pointopoint 99.1.2.1 mtu 1420
route add -host 10.0.5.2 gw 10.0.6.1
# routing
route add -net 192.168.1.0 netmask 255.255.255.0 gw 99.1.2.1
# start services
ipsec setup --start
- below is the ipsec connection in /etc/ipsec.conf
conn test
auto=start #any reboot causes immediate renegotiation
type=transport #transport mode ipsec
authby=secret #authentication
ike=3des-sha1-modp1024 #phase 1 aka isakmp sa
ikelifetime=8h #phase 1 sa lifetime
esp=3des-sha1 #phase 2 aka ipsec sa
keylife=1h #phase 2 sa lifetime
pfs=no
###our gateway
left=10.0.6.2 #the IP address of the local IPSec peer
leftnexthop=10.0.6.1 #default gateway
leftprotoport=47 #match the GRE traffic, this line is very important
###remote peer
right=10.0.5.2 #the IP address of the remote IPSec peer
rightnexthop=10.0.5.1 #peer default gateway
rightprotoport=47 #match the GRE traffic
- below is the file /etc/ipsec.secrets
10.0.6.2 10.0.5.2 : PSK "cisco12"
And voila, it works!
This solution is imho the best considering it requires only 4 extra bytes for the GRE header with transport mode IPSec, and it allows the use of routing protocols over the tunnels.
Have fun :)
Hey there - your config above for the linux box lists
ReplyDeleteifconfig tun_test 99.1.2.2 pointopoint 99.1.2.1 mtu 1420
But those IP's arent' mentioned anywhere else in the configs. I presume you just accidentally didn't obscure them with private IP's?
I'm trying to piece together a working config for strongSwan via your helpful article here. :)
The ip addresses 99.1.2.1 and 99.1.2.2 are the GRE tunnel interface addresses at Site A and Site B respectively.
DeleteThey are the gateway address for each site to reach the other's network. So for Site A to reach Site B's network 192.168.2.0/24 the gateway address is 99.1.2.2. And for Site B to reach Site A's network 192.168.1.0/24 the gateway address is 99.1.2.1.
So you need to either run a routing protocol on the tunnel interfaces to distribute routes from one site to the other, or you need to create static routes as in this example:
"!!! route the remote subnet through the GRE tunnel
ip route 192.168.2.0 255.255.255.0 99.1.2.2"
and
"# routing
route add -net 192.168.1.0 netmask 255.255.255.0 gw 99.1.2.1"
Hope that helps.
Guess, you are not maintaining this blog anymore. But would still ask a few questions here in the hope that someone would reply.
ReplyDeletea) As @Paul mentioned in the comment above, you have not mentioned anything about the IPs 99.1.2.2 and 99.1.2.1
b) I get an error with the following line in ipsec.conf
leftprotoport=47
Invalid protoport value.
Any help would be appreciated.
leftprotoport=47
ReplyDeleteInvalid protoport value. any help??
Hi Everyone,
ReplyDeleteThe error gor solved
just put
leftprotoport=gre and rightprotoport=gre