[Openswan Users] GRE over IPSec to Cisco problems

John Serink jserink2004 at yahoo.com
Sun Jul 16 11:31:57 CEST 2006 

Hi All:

Ok, here is my setup:
Linux Side ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0     # conforms to second version of
ipsec.conf specification
config setup
        # Debug-logging controls:  "none" for (almost)
none, "all" for lots.
        klipsdebug=none
        plutodebug=none
    interfaces=%defaultroute
        uniqueids=yes

# Add connections here

conn GDC1
        authby=secret
        auto=start
        left=%defaultroute
        leftsourceip=192.168.1.97
        leftid=@rx1000test
        leftsubnet=192.168.1.96/28
        ike=aes128-md5-modp1024
        esp=aes128-md5
        right=160.96.97.248
        rightsubnet=192.168.1.0/28
        rightsourceip=192.168.1.1
        type=tunnel
        pfs=yes
        keyingtries=0
        dpddelay=30
        dpdtimeout=90
        dpdaction=clear

        #Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

With no GRE, this works fine with the Cisco.
Here are the Tunnel configs:
Linux SIde:
modprobe ip_gre
ip tunnel add GDC1 mode gre remote 192.168.1.1 local
192.168.1.97 ttl 255
ip link set GDC1 up
ip addr add 192.168.2.97 dev GDC1

Note: I've not yet added route, I want to get the
tunnel up and pinging first.

Cisco interface Tunnel6
 ip address 192.168.2.110 255.255.255.240
 tunnel source GigabitEthernet0/1
 tunnel destination 192.168.1.97

Ok, now I have debug tunnels on on the cisco, and on
the linux tcpdump -i ppp1 not tcp port 22.
WHen I ping from the Linux to the Cisco here is what I
get:
rx1000test:~# ping 192.168.2.110 -w 4
PING 192.168.2.110 (192.168.2.110) 56(84) bytes of
data.

--- 192.168.2.110 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss,
time 3001ms

TCPDUMP:
01:21:19.845754 IP adsl1500-17.dyn98.pacific.net.sg >
192.168.2.110: icmp 64: echo request seq 1
01:21:20.847192 IP adsl1500-17.dyn98.pacific.net.sg >
192.168.2.110: icmp 64: echo request seq 2
01:21:21.847040 IP adsl1500-17.dyn98.pacific.net.sg >
192.168.2.110: icmp 64: echo request seq 3
01:21:22.846938 IP adsl1500-17.dyn98.pacific.net.sg >
192.168.2.110: icmp 64: echo request seq 4

Cisco Debug OUtput:
None, nothing showed up.

Now, when I ping from the cisco to the Linux:
SirentRouter#ping 192.168.2.97

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.97,
timeout is 2 seconds:

*Jul 16 17:31:00.968: Tunnel6: GRE/IP encapsulated
192.168.1.1->192.168.1.97 (linktype=7, len=124).
*Jul 16 17:31:02.968: Tunnel6: GRE/IP encapsulated
192.168.1.1->192.168.1.97 (linktype=7, len=124).
*Jul 16 17:31:04.968: Tunnel6: GRE/IP encapsulated
192.168.1.1->192.168.1.97 (linktype=7, len=124).
*Jul 16 17:31:06.968: Tunnel6: GRE/IP encapsulated
192.168.1.1->192.168.1.97 (linktype=7, len=124).
*Jul 16 17:31:08.968: Tunnel6: GRE/IP encapsulated
192.168.1.1->192.168.1.97 (linktype=7, len=124).
Success rate is 0 percent (0/5)

TCPDUMP:

01:23:12.355291 IP 160.96.97.248 >
adsl1500-17.dyn98.pacific.net.sg:
ESP(spi=0x5729d338,seq=0x50)
01:23:12.355291 IP 192.168.1.1 > 192.168.1.97: IP
192.168.2.110 > 192.168.2.97: icmp 80: echo request
seq 1
01:23:12.356942 IP 192.168.2.97 > 192.168.2.110: icmp
80: echo reply seq 1
01:23:14.357966 IP 160.96.97.248 >
adsl1500-17.dyn98.pacific.net.sg:
ESP(spi=0x5729d338,seq=0x51)
01:23:14.357966 IP 192.168.1.1 > 192.168.1.97: IP
192.168.2.110 > 192.168.2.97: icmp 80: echo request
seq 2
01:23:14.359619 IP 192.168.2.97 > 192.168.2.110: icmp
80: echo reply seq 2
01:23:16.273299 IP
adsl1500-17.dyn98.pacific.net.sg.isakmp >
160.96.97.248.isakmp: isakmp: phase 2/others ? inf[E]
01:23:16.290605 IP 160.96.97.248.isakmp >
adsl1500-17.dyn98.pacific.net.sg.isakmp: isakmp: phase
2/others ? inf[E]
01:23:16.355673 IP 160.96.97.248 >
adsl1500-17.dyn98.pacific.net.sg:
ESP(spi=0x5729d338,seq=0x52)
01:23:16.355673 IP 192.168.1.1 > 192.168.1.97: IP
192.168.2.110 > 192.168.2.97: icmp 80: echo request
seq 3
01:23:16.357130 IP 192.168.2.97 > 192.168.2.110: icmp
80: echo reply seq 3
01:23:18.358878 IP 160.96.97.248 >
adsl1500-17.dyn98.pacific.net.sg:
ESP(spi=0x5729d338,seq=0x53)
01:23:18.358878 IP 192.168.1.1 > 192.168.1.97: IP
192.168.2.110 > 192.168.2.97: icmp 80: echo request
seq 4
01:23:18.360337 IP 192.168.2.97 > 192.168.2.110: icmp
80: echo reply seq 4

It looks almost perfect. I get an encrypted GRE ping
from the cisco side, Linux receives the echo request
and responds but it does not appear to be getting
encrypted. And that I think is the problem. 

Shorewall is not involved, there is nothing that
showed up in the syslog during the tests, I think I
have that all sorted.

Anyone have any ideas on how to fix this?

Cheers,
John


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list