[strongSwan] GRE Strongswan Question
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Fri Jan 7 16:51:16 CET 2022
Hi
Check the sample-config/info in the attached doc. Maybe it will help
One thing i check from my experience (especially for tunnel-mode ipsec) is
that on the R1 and R2, eventhough they may be connected
back-to-back/in-same-subnet (as per your config posted), you should still
ensure that the "default-route/default-gw" is configured/added on each of
the routers....
hope this is of some help
thanks & regards
Rajiv
On Sat, Dec 11, 2021 at 1:13 AM Makarand Pradhan <MakarandPradhan at is5com.com>
wrote:
> Hello Everyone,
>
> This email is regarding GRE over IPSec. I'm observing some interesting
> behaviour which I am not able to understand. Would highly appreciate your
> views.
>
> Issue:
> GRE over IPSec works in tunnel mode when I use raspberry Pis as end
> devices.
> Pi on LAN<--> R1 Router running strongswan <-Internet--> R2 Router running
> strongswan <--> Pi on LAN
>
> When I try to use Spirent ports instead of Pis, only transport mode works.
> Tunnel mode does not push GRE packets into IPSec tunnel.
>
> Question:
> Can anyone give a hint as to why tunnel mode would work when the end
> points are Pis?
> Or Why Spirent traffic only supports transport?
>
> The relevant configuration is given below
>
> Linux strongSwan U5.8.2/K4.1.35-rt41
>
> R1:
> Ipsec.conf
> right=172.16.100.101
> rightid=172.16.100.101
> rightsubnet=172.16.100.101/32[gre]
> <http://172.16.100.101/32%5Bgre%5D>
> left=172.16.100.1
> leftid=172.16.100.1
> leftsubnet=172.16.100.1/32[gre] <http://172.16.100.1/32%5Bgre%5D>
>
> ip a s tunnel1
> 19: tunnel1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
> state UNKNOWN group default
> link/gre 172.16.100.1 peer 172.16.100.101
> inet 10.10.1.1/24 scope global tunnel1
> valid_lft forever preferred_lft forever
>
> R2:
> Ipsec.conf
> right=172.16.100.1
> rightid=172.16.100.1
> rightsubnet=172.16.100.1/32[gre] <http://172.16.100.1/32%5Bgre%5D>
> left=172.16.100.101
> leftid=172.16.100.101
> leftsubnet=172.16.100.101/32[gre]
> <http://172.16.100.101/32%5Bgre%5D>
>
> ip a s tunnel1
> 19: tunnel1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
> state UNKNOWN group default
> link/gre 172.16.100.101 peer 172.16.100.1
> inet 10.10.1.2/24 scope global tunnel1
> valid_lft forever preferred_lft forever
>
>
> Thanks.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure
> under applicable law. Any dissemination or copying of this message by
> anyone other than a named recipient is strictly prohibited. If you are not
> a named recipient or an employee or agent responsible for delivering this
> message to a named recipient, please notify us immediately, and permanently
> destroy this message and any copies you may have. Warning: Email may not be
> secure unless properly encrypted.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220107/b0cfac21/attachment.html>
-------------- next part --------------
Network-Deployment
-----------------
Pi on LAN<--> R1 Router running strongswan <-Internet--> R2 Router running strongswan <--> Pi on LAN
Above setup Is equivalne to below:
TC1/Pi1(192.168.11.2/24)---11.1(lan)[R1-RTR](wan)172.16.100.101-----internet/wan-network----172.16.100.1(wan)[R2-RTR](lan)12.1-----(192.168.12.2/24)Pi2/TC2
Notes:
a) On the TC1-device/Pi1-gw, the default-gw will be configured as 192.168.11.1
b) On the R1-RTR wan-interface, the default-gw is configured as 172.16.100.1
c) On the R2-RTR wan-interface, the default-gw is configured as 172.16.100.101
d) On the TC2-device/Pi2-gw, the default-gw will be configured as 192.168.12.1
------------------
On R1-RTR
---------------
the Ipsec.conf file:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 1, chd 1, knl 1, cfg 1"
conn %default
ikelifetime=24h
lifetime=20h
mobike=no
dpddelay=60s
dpdtimeout=240s
dpdaction=clear
reauth=no
conn toGREpeerR2
left=172.16.100.101
leftsubnet=172.16.100.101[gre]
right=172.16.100.1
rightsubnet=172.16.100.1[gre]
leftauth=psk
rightauth=psk
leftid=172.16.100.101
rightid=172.16.100.1
keyexchange=ikev2
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
type=tunnel
auto=route
- the ipsec.secrets file
#the ipsec-secrets file
: PSK "test$123456789"
#172.16.100.101 172.16.100.1 : PSK "test$123456789"
- the GRE-tunnel config:
ip tunnel add gre1 mode gre local 172.16.100.101 remote 172.16.100.1 ttl 254
ip link set gre1 up
ip addr add 10.10.1.1/24 brd 10.10.1.255 dev gre1
ip link set gre1 multicast on
- add the route for Pi2/TC2 via the gre-tunnel as below
ip route add 192.168.12.0/24 dev gre1
Additional Notes:
- Generally there will be NAT/Masquerade also enabled on the wan-interface of the R1-router.
- And with above config for GRE-wIPsec tunnel (irrespective of whether its in tunnel-mode or transport-mode), the traffic to be forwarded thru the gre-tunnel (and then the entire GRE-encapsulated packet is encrypted in ipsec) is not supposed to hit the nat-rule at all
- But just in case, if there is an issue of the traffic from Local TC/Pi to Remote TC/Pi getting NATed, you can try by adding the below iptables/fw rules ABOVE the NAT/MASQUERADE rule
iptables -t nat -I POSTROUTING 1 -s 192.168.11.0/24 -d 192.168.12.0/24 -o wanIF-j ACCEPT
iptables -t nat -I POSTROUTING 2 -o wanIF -j MASQUERADE
- Also just for completion and double-check, ensure that this below local-lan route is present in table 220 on R1-RTR (or add it after the tunnel is up)
ip route add 192.168.11.0/24 dev <lanIf> table 220
===================================================
------------------
On R2-RTR
---------------
the Ipsec.conf file:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 1, chd 1, knl 1, cfg 1"
conn %default
ikelifetime=24h
lifetime=20h
mobike=no
dpddelay=60s
dpdtimeout=240s
dpdaction=clear
reauth=no
conn toGREpeerR1
left=172.16.100.1
leftsubnet=172.16.100.1[gre]
right=172.16.100.101
rightsubnet=172.16.100.101[gre]
leftauth=psk
rightauth=psk
leftid=172.16.100.1
rightid=172.16.100.101
keyexchange=ikev2
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
type=tunnel
auto=route
- the ipsec.secrets file
#the ipsec-secrets file
: PSK "test$123456789"
#172.16.100.1 172.16.100.101 : PSK "test$123456789"
- the GRE-tunnel config:
ip tunnel add gre1 mode gre local 172.16.100.1 remote 172.16.100.101 ttl 254
ip link set gre1 up
ip addr add 10.10.1.2/24 brd 10.10.1.255 dev gre1
ip link set gre1 multicast on
- add the route for Pi1/TC1 via the gre-tunnel as below
ip route add 192.168.11.0/24 dev gre1
Additional Notes:
- Generally there will be NAT/Masquerade also enabled on the wan-interface of the R2-router.
- And with above config for GRE-wIPsec tunnel (irrespective of whether its in tunnel-mode or transport-mode), the traffic to be forwarded thru the gre-tunnel (and then the entire GRE-encapsulated packet is encrypted in ipsec) is not supposed to hit the nat-rule at all
- But just in case, if there is an issue of the traffic from Local TC/Pi to Remote TC/Pi getting NATed, you can try by adding the below iptables/fw rules ABOVE the NAT/MASQUERADE rule
iptables -t nat -I POSTROUTING 1 -s 192.168.12.0/24 -d 192.168.11.0/24 -o wanIF-j ACCEPT
iptables -t nat -I POSTROUTING 2 -o wanIF -j MASQUERADE
- Also just for completion and double-check, ensure that this below local-lan route is present in table 220 on R2-RTR (or add it after the tunnel is up)
ip route add 192.168.12.0/24 dev <lanIf> table 220
================================================
Note: Also ensure that the TC-device and/or Pi-device are configured with the ipaddress & default-gw in the respective lan-network behind the Router-Rn
More information about the Users
mailing list