[strongSwan] GRE Strongswan Question

Makarand Pradhan MakarandPradhan at is5com.com
Fri Dec 10 20:43:48 CET 2021 

Hello Everyone,

This email is regarding GRE over IPSec. I'm observing some interesting behaviour which I am not able to understand. Would highly appreciate your views.

Issue:
GRE over IPSec works in tunnel mode when I use raspberry Pis as end devices.
Pi on LAN<--> R1 Router running strongswan <-Internet--> R2 Router running strongswan <--> Pi on LAN

When I try to use Spirent ports instead of Pis, only transport mode works. Tunnel mode does not push GRE packets into IPSec tunnel.

Question:
Can anyone give a hint as to why tunnel mode would work when the end points are Pis?
Or Why Spirent traffic only supports transport?

The relevant configuration is given below

Linux strongSwan U5.8.2/K4.1.35-rt41

R1:
Ipsec.conf
        right=172.16.100.101
        rightid=172.16.100.101
        rightsubnet=172.16.100.101/32[gre]
        left=172.16.100.1
        leftid=172.16.100.1
        leftsubnet=172.16.100.1/32[gre]

ip a s tunnel1
19: tunnel1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default
    link/gre 172.16.100.1 peer 172.16.100.101
    inet 10.10.1.1/24 scope global tunnel1
       valid_lft forever preferred_lft forever

R2:
Ipsec.conf
        right=172.16.100.1
        rightid=172.16.100.1
        rightsubnet=172.16.100.1/32[gre]
        left=172.16.100.101
        leftid=172.16.100.101
        leftsubnet=172.16.100.101/32[gre]

ip a s tunnel1
19: tunnel1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default
    link/gre 172.16.100.101 peer 172.16.100.1
    inet 10.10.1.2/24 scope global tunnel1
       valid_lft forever preferred_lft forever


Thanks.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

More information about the Users mailing list