[strongSwan] ipsec & gre : using gre key

Luc Willems luc.willems at it4y.eu
Thu Oct 3 19:50:15 CEST 2013

Hi all ,

i'm currently testing some IPSEC/GRE tunnels in encounter following issue.
i have 2 clients on a remote site, connecting to a central gateway system.

  [client 1] ------| FW site A|---( internet )--> [ tunnel server ]
                   |          |
  [client 2] ----- |          |

both client 1 & 2 are located on a internal network. there traffic will be
NAT by FW site A.
client 1 & 2 use NAT-t udp to encapsulate the ipsec traffic so it can be
handled correct after the NAT'ing of the FW

both client 1 & 2 have a small /24 unique private network behind it and
will use a GRE tunnel to
connect this networks with the tunnel server over public internet. IPSEC is
used to secure the communication.

client 1 GRE tunnel has a gre key of , client 2 has a gre key of
both clients and tunnel server use left|rightprotoport=47 to select gre as
traffic selector.
tunnels are created in ipsec up/down script once the IPSEC
security associations  are in place
between the client and tunnel server.

when client 1 connects, the SA and CA are installed and on the tunnel
server i see a traffic selector
like  <public ip site A>/32[gre] and <tunnelserver>/32[gre]

when client 2 connects, i get a error that traffic selector for  <public ip
site A>/32[gre] and <tunnelserver>/32[gre]
already exist. This seems normal as traffic selector seems only be based on
both src/dst ip and protocol 47=gre.

Looking into ip xfrm i noticed there is a option to specify the gre key as
additional parameter for traffic selector.
also , in following thread http://markmail.org/thread/5hdt42apy6bvpzkr on
netdev mailing list ,
 it's talking about including a feature to include the gre key as
differentiator and traffic selector.

It seems to me this could be a solution for my problem as it would make
both ipsec tunnels unique like

client 1 : <public ip site A>/32[gre] and <tunnelserver>/32[gre]
client 2 : <public ip site A>/32[gre] and <tunnelserver>/32[gre]

each CA would than be unique based on src/dst protocol=47 and the GRE key ,
which would make them unique.

I'm currently looking on a way to include the GRE key into the
left|rightprotoport configuration but with no great success.
Is this option actually supported (?) and how would one specify this in the
 left|rightprotoport configuration ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131003/22ccce15/attachment.html>

More information about the Users mailing list