[strongSwan] GRE Strongswan Question

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Jan 7 16:51:16 CET 2022


Hi
Check the sample-config/info in the attached doc. Maybe it will help

One thing i check from my experience (especially for tunnel-mode ipsec) is
that on the R1 and R2, eventhough they may be connected
back-to-back/in-same-subnet (as per your config posted), you should still
ensure that the "default-route/default-gw" is configured/added on each of
the routers....

hope this is of some help

thanks & regards
Rajiv



On Sat, Dec 11, 2021 at 1:13 AM Makarand Pradhan <MakarandPradhan at is5com.com>
wrote:

> Hello Everyone,
>
> This email is regarding GRE over IPSec. I'm observing some interesting
> behaviour which I am not able to understand. Would highly appreciate your
> views.
>
> Issue:
> GRE over IPSec works in tunnel mode when I use raspberry Pis as end
> devices.
> Pi on LAN<--> R1 Router running strongswan <-Internet--> R2 Router running
> strongswan <--> Pi on LAN
>
> When I try to use Spirent ports instead of Pis, only transport mode works.
> Tunnel mode does not push GRE packets into IPSec tunnel.
>
> Question:
> Can anyone give a hint as to why tunnel mode would work when the end
> points are Pis?
> Or Why Spirent traffic only supports transport?
>
> The relevant configuration is given below
>
> Linux strongSwan U5.8.2/K4.1.35-rt41
>
> R1:
> Ipsec.conf
>         right=172.16.100.101
>         rightid=172.16.100.101
>         rightsubnet=172.16.100.101/32[gre]
> <http://172.16.100.101/32%5Bgre%5D>
>         left=172.16.100.1
>         leftid=172.16.100.1
>         leftsubnet=172.16.100.1/32[gre] <http://172.16.100.1/32%5Bgre%5D>
>
> ip a s tunnel1
> 19: tunnel1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
> state UNKNOWN group default
>     link/gre 172.16.100.1 peer 172.16.100.101
>     inet 10.10.1.1/24 scope global tunnel1
>        valid_lft forever preferred_lft forever
>
> R2:
> Ipsec.conf
>         right=172.16.100.1
>         rightid=172.16.100.1
>         rightsubnet=172.16.100.1/32[gre] <http://172.16.100.1/32%5Bgre%5D>
>         left=172.16.100.101
>         leftid=172.16.100.101
>         leftsubnet=172.16.100.101/32[gre]
> <http://172.16.100.101/32%5Bgre%5D>
>
> ip a s tunnel1
> 19: tunnel1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
> state UNKNOWN group default
>     link/gre 172.16.100.101 peer 172.16.100.1
>     inet 10.10.1.2/24 scope global tunnel1
>        valid_lft forever preferred_lft forever
>
>
> Thanks.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure
> under applicable law. Any dissemination or copying of this message by
> anyone other than a named recipient is strictly prohibited. If you are not
> a named recipient or an employee or agent responsible for delivering this
> message to a named recipient, please notify us immediately, and permanently
> destroy this message and any copies you may have. Warning: Email may not be
> secure unless properly encrypted.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220107/b0cfac21/attachment.html>
-------------- next part --------------




Network-Deployment
-----------------

Pi on LAN<--> R1 Router running strongswan <-Internet--> R2 Router running strongswan <--> Pi on LAN

Above setup Is equivalne to below:


TC1/Pi1(192.168.11.2/24)---11.1(lan)[R1-RTR](wan)172.16.100.101-----internet/wan-network----172.16.100.1(wan)[R2-RTR](lan)12.1-----(192.168.12.2/24)Pi2/TC2

Notes:
a) On the TC1-device/Pi1-gw, the default-gw will be configured as 192.168.11.1
b) On the R1-RTR wan-interface, the default-gw is configured as 172.16.100.1
c) On the R2-RTR wan-interface, the default-gw is configured as 172.16.100.101
d) On the TC2-device/Pi2-gw, the default-gw will be configured as 192.168.12.1



------------------
On R1-RTR
---------------
the Ipsec.conf file:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no
        charondebug="ike 1, chd 1, knl 1, cfg 1"

conn %default
        ikelifetime=24h
        lifetime=20h
        mobike=no
	dpddelay=60s
	dpdtimeout=240s
	dpdaction=clear
	reauth=no

conn toGREpeerR2
        left=172.16.100.101
        leftsubnet=172.16.100.101[gre]
        right=172.16.100.1
        rightsubnet=172.16.100.1[gre]
        leftauth=psk
        rightauth=psk
	leftid=172.16.100.101
	rightid=172.16.100.1
	keyexchange=ikev2
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        auto=route


- the ipsec.secrets file

#the ipsec-secrets file
: PSK "test$123456789"
#172.16.100.101 172.16.100.1 : PSK "test$123456789"


- the GRE-tunnel config:

ip tunnel add gre1 mode gre local 172.16.100.101 remote 172.16.100.1 ttl 254
ip link set gre1 up
ip addr add 10.10.1.1/24 brd 10.10.1.255 dev gre1
ip link set gre1 multicast on

- add the route for Pi2/TC2 via the gre-tunnel as below

ip route add 192.168.12.0/24 dev gre1


Additional Notes:

- Generally there will be NAT/Masquerade also enabled on the wan-interface of the R1-router. 
- And with above config for GRE-wIPsec tunnel (irrespective of whether its in tunnel-mode or transport-mode), the traffic to be forwarded thru the gre-tunnel (and then the entire GRE-encapsulated packet is encrypted in ipsec) is not supposed to hit the nat-rule at all
- But just in case, if there is an issue of the traffic from Local TC/Pi to Remote TC/Pi getting NATed, you can try by adding the below iptables/fw rules ABOVE the NAT/MASQUERADE rule

iptables -t nat -I POSTROUTING 1 -s 192.168.11.0/24 -d 192.168.12.0/24 -o wanIF-j ACCEPT
iptables -t nat -I POSTROUTING 2 -o wanIF -j MASQUERADE


- Also just for completion and double-check, ensure that this below local-lan route is present in table 220 on R1-RTR (or add it after the tunnel is up)

ip route add 192.168.11.0/24 dev <lanIf> table 220



===================================================


------------------
On R2-RTR
---------------
the Ipsec.conf file:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no
        charondebug="ike 1, chd 1, knl 1, cfg 1"

conn %default
        ikelifetime=24h
        lifetime=20h
        mobike=no
	dpddelay=60s
	dpdtimeout=240s
	dpdaction=clear
	reauth=no

conn toGREpeerR1
        left=172.16.100.1
        leftsubnet=172.16.100.1[gre]
        right=172.16.100.101
        rightsubnet=172.16.100.101[gre]
        leftauth=psk
        rightauth=psk
	leftid=172.16.100.1
	rightid=172.16.100.101
	keyexchange=ikev2
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        auto=route


- the ipsec.secrets file

#the ipsec-secrets file
: PSK "test$123456789"
#172.16.100.1 172.16.100.101 : PSK "test$123456789"


- the GRE-tunnel config:

ip tunnel add gre1 mode gre local 172.16.100.1 remote 172.16.100.101 ttl 254
ip link set gre1 up
ip addr add 10.10.1.2/24 brd 10.10.1.255 dev gre1
ip link set gre1 multicast on

- add the route for Pi1/TC1 via the gre-tunnel as below

ip route add 192.168.11.0/24 dev gre1


Additional Notes:

- Generally there will be NAT/Masquerade also enabled on the wan-interface of the R2-router. 
- And with above config for GRE-wIPsec tunnel (irrespective of whether its in tunnel-mode or transport-mode), the traffic to be forwarded thru the gre-tunnel (and then the entire GRE-encapsulated packet is encrypted in ipsec) is not supposed to hit the nat-rule at all
- But just in case, if there is an issue of the traffic from Local TC/Pi to Remote TC/Pi getting NATed, you can try by adding the below iptables/fw rules ABOVE the NAT/MASQUERADE rule

iptables -t nat -I POSTROUTING 1 -s 192.168.12.0/24 -d 192.168.11.0/24 -o wanIF-j ACCEPT
iptables -t nat -I POSTROUTING 2 -o wanIF -j MASQUERADE



- Also just for completion and double-check, ensure that this below local-lan route is present in table 220 on R2-RTR (or add it after the tunnel is up)

ip route add 192.168.12.0/24 dev <lanIf> table 220




================================================


Note: Also ensure that the TC-device and/or Pi-device are configured with the ipaddress & default-gw in the respective lan-network behind the Router-Rn





More information about the Users mailing list