[Openswan Users] Success with broadcast through GRE

Paul Wouters paul at xelerance.com
Fri Oct 7 22:56:55 CEST 2005


On Fri, 7 Oct 2005, Michael Jurney wrote:

> Openswan at this point has not been started.  Tcpdump on an intermediate 
> gateway shows GRE packets with private network packet payloads in the clear.
>
>> In other words, if the tunnel comes up, there is not going to be any 
>> plaintext traffic for the range specified in the tunnel. 
>
> Yes, but whether the openswan is started or not has no impact on the GRE 
> configuration - When an ipsec SA is established between 10.1.1.100 and 
> 10.2.2.100 ipsec encapsulation happens after GRE encapsulation.
>
> packet<->eth1<->tunnel0<->eth0(+ipsec)<->{routable 
> network}<->(ipsec+)eth0<->tunnel0<->eth1<->packet

How come prviate space IP addresses on both ends are visible *without* the
openswan tunnel? This is a gre tunnel within your own network? Usually,
when ipsec tunnels are down, and they are connecting private space IP
addresses, those hosts become unreachable.
In your case, you should add a firewall rule on ethX to block all
traffic from the inside IP address in the 172. range, so that the GRE
tunnel will not work without being protected by Openswan.

As noted by others, i think you are doing ipsec over gre, instead of 
gre over ipsec.

Paul
-- 

"Happiness is never grand"

 	--- Mustapha Mond, World Controller (Brave New World)


More information about the Users mailing list