[Openswan Users] Can't allow GRE passthrough IPSEC Linux to Cisco 1811
Steeve Juair
steeve.juair at derytelecom.ca
Mon Jan 22 09:51:44 EST 2007
I have some problem to connect VPN IPSEC OVER GRE.
I have no problem to connect IPSEC VPN LAN TO LAN but
when I would like tu use GRE OVER IPSEC I can't able to mount
IPSEC TUNNEL to allow packet to pass thgouth. Anyone have any
tips or advice for this.
My current setup
LAN A
WAN : 192.168.1.254/24
GW : 192.168.1.2
LAN : 10.0.0.1/24
TUNNEL : 172.16.0.2
LAN B
WAN : 192.168.2.254
GW : 192.168.2.1
LAN : 10.0.1.1/24
TUNNEL : 172.16.0.1
I want be able to encrypt GRE OVER IPSEC
-----------------
OPENSWAN CONFIG
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug=all
interfaces=%defaultroute
# uniqueids=yes
# plutodebug=all
# nat_traversal=yes
# klipsdebug=all
#
# Add connections here
#
conn vpnipsec
type=tunnel
auth=esp
authby=secret
pfs=no
left=192.168.2.254
leftsubnet=172.16.0.1/32
leftnexthop=192.168.2.1
right=192.168.1.254
rightsubnet=172.16.0.2/32
rightnexthop=192.168.1.1
auto=start
esp=3des-md5-96
keyexchange=ike
ike=3des-md5-96
------------------
Cisco Config
Building configuration...
Current configuration : 6722 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1811-vpnipsec
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address 192.168.2.254 255.255.255.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 192.168.2.254
set transform-set myset
match address 120
!
!
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
tunnel source FastEthernet0
tunnel destination 192.168.2.254
!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description VLAN 1
ip address 10.0.0.1 255.255.255.0
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.0.1.0 255.255.255.0 172.16.0.1
!
!
!
access-list 120 remark VPN INTERFACE WAN
access-list 120 permit gre host 192.168.2.254 host 192.168.1.254
access-list 120 permit esp host 192.168.2.254 host 192.168.1.254
access-list 120 permit udp host 192.168.2.254 eq isakmp host 192.168.1.254
access-list 120 deny ip any any log
no cdp run
!
!
!
!
!
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
------------------
Cisco Debug crypto ipsec isakma
*Jan 22 14:32:23.550: %SYS-5-CONFIG_I: Configured from console by console
cisco1811-vpnipsec#
*Jan 22 14:32:27.454: ISAKMP (0:2103): received packet from
192.168.2.254 dport 500 sport 500 Global (R) QM_IDLE
*Jan 22 14:32:27.454: ISAKMP:(2103): phase 2 packet is a duplicate of a
previous packet.
*Jan 22 14:32:27.454: ISAKMP:(2103): retransmitting due to retransmit
phase 2
*Jan 22 14:32:27.454: ISAKMP:(2103): ignoring retransmission,because
phase2 node marked dead -872162751
*Jan 22 14:32:34.162: ISAKMP (0:2103): received packet from
192.168.2.254 dport 500 sport 500 Global (R) QM_IDLE
*Jan 22 14:32:34.166: ISAKMP: set new node -222371319 to QM_IDLE
*Jan 22 14:32:34.166: ISAKMP:(2103): processing HASH payload. message ID
= -222371319
*Jan 22 14:32:34.166: ISAKMP:(2103): processing DELETE payload. message
ID = -222371319
*Jan 22 14:32:34.166: ISAKMP:(2103):peer does not do paranoid keepalives.
*Jan 22 14:32:34.166: ISAKMP:(2103):deleting SA reason "No reason" state
(R) QM_IDLE (peer 192.168.2.254)
*Jan 22 14:32:34.166: ISAKMP:(2103):deleting node -222371319 error FALSE
reason "Informational (in) state 1"
*Jan 22 14:32:34.166: ISAKMP: set new node -398468487 to QM_IDLE
*Jan 22 14:32:34.166: ISAKMP:(2103): sending packet to 192.168.2.254
my_port 500 peer_port 500 (R) QM_IDLE
*Jan 22 14:32:34.166: ISAKMP:(2103):purging node -398468487
*Jan 22 14:32:34.166: ISAKMP:(2103):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*Jan 22 14:32:34.166: ISAKMP:(2103):Old State = IKE_P1_COMPLETE New
State = IKE_DEST_SA
*Jan 22 14:32:34.166: ISAKMP:(2103):deleting SA reason "No reason" state
(R) QM_IDLE (peer 192.168.2.254)
*Jan 22 14:32:34.166: ISAKMP: Unlocking peer struct 0x84699B80 for
isadb_mark_sa_deleted(), count 0
*Jan 22 14:32:34.166: ISAKMP: Deleting peer node by peer_reap for
192.168.2.254: 84699B80
*Jan 22 14:32:34.166: ISAKMP:(2103):deleting node -872162751 error FALSE
reason "IKE deleted"
*Jan 22 14:32:34.166: ISAKMP:(2103):deleting node -222371319 error FALSE
reason "IKE deleted"
*Jan 22 14:32:34.166: ISAKMP:(2103):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 22 14:32:34.166: ISAKMP:(2103):Old State = IKE_DEST_SA New State =
IKE_DEST_SA
*Jan 22 14:32:34.166: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
*Jan 22 14:32:45.446: ISAKMP (0:0): received packet from 192.168.2.254
dport 500 sport 500 Global (N) NEW SA
*Jan 22 14:32:45.446: ISAKMP: Created a peer struct for 192.168.2.254,
peer port 500
*Jan 22 14:32:45.446: ISAKMP: New peer created peer = 0x8384A6A0
peer_handle = 0x80000017
*Jan 22 14:32:45.446: ISAKMP: Locking peer struct 0x8384A6A0, refcount 1
for crypto_isakmp_process_block
*Jan 22 14:32:45.446: ISAKMP: local port 500, remote port 500
*Jan 22 14:32:45.446: ISAKMP: Find a dup sa in the avl tree during
calling isadb_insert sa = 83BAB1AC
*Jan 22 14:32:45.446: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 22 14:32:45.446: ISAKMP:(0):Old State = IKE_READY New State =
IKE_R_MM1
*Jan 22 14:32:45.446: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 22 14:32:45.446: ISAKMP:(0): processing vendor id payload
*Jan 22 14:32:45.446: ISAKMP:(0): vendor ID seems Unity/DPD but major 0
mismatch
*Jan 22 14:32:45.446: ISAKMP:(0): processing vendor id payload
*Jan 22 14:32:45.446: ISAKMP:(0): vendor ID is DPD
*Jan 22 14:32:45.446: ISAKMP:(0):found peer pre-shared key matching
192.168.2.254
*Jan 22 14:32:45.446: ISAKMP:(0): local preshared key found
*Jan 22 14:32:45.446: ISAKMP : Scanning profiles for xauth ...
*Jan 22 14:32:45.446: ISAKMP:(0):Checking ISAKMP transform 0 against
priority 1 policy
*Jan 22 14:32:45.446: ISAKMP: life type in seconds
*Jan 22 14:32:45.446: ISAKMP: life duration (basic) of 3600
*Jan 22 14:32:45.446: ISAKMP: encryption 3DES-CBC
*Jan 22 14:32:45.446: ISAKMP: hash MD5
*Jan 22 14:32:45.446: ISAKMP: auth pre-share
*Jan 22 14:32:45.446: ISAKMP: default group 5
*Jan 22 14:32:45.446: ISAKMP:(0):Diffie-Hellman group offered does not
match policy!
*Jan 22 14:32:45.446: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 22 14:32:45.446: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 1 policy
*Jan 22 14:32:45.446: ISAKMP: life type in seconds
*Jan 22 14:32:45.446: ISAKMP: life duration (basic) of 3600
*Jan 22 14:32:45.446: ISAKMP: encryption 3DES-CBC
*Jan 22 14:32:45.446: ISAKMP: hash MD5
*Jan 22 14:32:45.446: ISAKMP: auth pre-share
*Jan 22 14:32:45.446: ISAKMP: default group 2
*Jan 22 14:32:45.446: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 22 14:32:45.446: ISAKMP:(0): processing vendor id payload
*Jan 22 14:32:45.446: ISAKMP:(0): vendor ID seems Unity/DPD but major 0
mismatch
*Jan 22 14:32:45.446: ISAKMP:(0): processing vendor id payload
*Jan 22 14:32:45.446: ISAKMP:(0): vendor ID is DPD
*Jan 22 14:32:45.446: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Jan 22 14:32:45.446: ISAKMP:(0):Old State = IKE_R_MM1 New State =
IKE_R_MM1
*Jan 22 14:32:45.450: ISAKMP:(0): sending packet to 192.168.2.254
my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 22 14:32:45.450: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Jan 22 14:32:45.450: ISAKMP:(0):Old State = IKE_R_MM1 New State =
IKE_R_MM2
*Jan 22 14:32:48.030: ISAKMP (0:0): received packet from 192.168.2.254
dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 22 14:32:48.030: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 22 14:32:48.030: ISAKMP:(0):Old State = IKE_R_MM2 New State =
IKE_R_MM3
*Jan 22 14:32:48.030: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 22 14:32:48.034: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 22 14:32:48.034: ISAKMP:(0):found peer pre-shared key matching
192.168.2.254
*Jan 22 14:32:48.034: ISAKMP:(2104):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Jan 22 14:32:48.034: ISAKMP:(2104):Old State = IKE_R_MM3 New State =
IKE_R_MM3
*Jan 22 14:32:48.034: ISAKMP:(2104): sending packet to 192.168.2.254
my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 22 14:32:48.034: ISAKMP:(2104):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Jan 22 14:32:48.034: ISAKMP:(2104):Old State = IKE_R_MM3 New State =
IKE_R_MM4
*Jan 22 14:32:50.638: ISAKMP (0:2104): received packet from
192.168.2.254 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 22 14:32:50.638: ISAKMP:(2104):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 22 14:32:50.638: ISAKMP:(2104):Old State = IKE_R_MM4 New State =
IKE_R_MM5
*Jan 22 14:32:50.638: ISAKMP:(2104): processing ID payload. message ID = 0
*Jan 22 14:32:50.638: ISAKMP (0:2104): ID payload
next-payload : 8
type : 1
address : 192.168.2.254
protocol : 0
port : 0
length : 12
*Jan 22 14:32:50.638: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 22 14:32:50.638: ISAKMP:(2104): processing HASH payload. message ID = 0
*Jan 22 14:32:50.638: ISAKMP:(2104):SA authentication status:
authenticated
*Jan 22 14:32:50.638: ISAKMP:(2104):SA has been authenticated with
192.168.2.254
*Jan 22 14:32:50.638: ISAKMP: Trying to insert a peer
192.168.1.254/192.168.2.254/500/, and inserted successfully 8384A6A0.
*Jan 22 14:32:50.638: ISAKMP:(2104):IKE_DPD is enabled, initializing timers
*Jan 22 14:32:50.638: ISAKMP:(2104):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
*Jan 22 14:32:50.638: ISAKMP:(2104):Old State = IKE_R_MM5 New State =
IKE_R_MM5
*Jan 22 14:32:50.642: ISAKMP:(2104):SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
*Jan 22 14:32:50.642: ISAKMP (0:2104): ID payload
next-payload : 8
type : 1
address : 192.168.1.254
protocol : 17
port : 500
length : 12
*Jan 22 14:32:50.642: ISAKMP:(2104):Total payload length: 12
*Jan 22 14:32:50.642: ISAKMP:(2104): sending packet to 192.168.2.254
my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 22 14:32:50.642: ISAKMP:(2104):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
*Jan 22 14:32:50.642: ISAKMP:(2104):Old State = IKE_R_MM5 New State =
IKE_P1_COMPLETE
*Jan 22 14:32:50.642: ISAKMP:(2104):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Jan 22 14:32:50.642: ISAKMP:(2104):Old State = IKE_P1_COMPLETE New
State = IKE_P1_COMPLETE
*Jan 22 14:32:53.658: ISAKMP (0:2104): received packet from
192.168.2.254 dport 500 sport 500 Global (R) QM_IDLE
*Jan 22 14:32:53.658: ISAKMP: set new node 417444911 to QM_IDLE
*Jan 22 14:32:53.658: ISAKMP:(2104): processing HASH payload. message ID
= 417444911
*Jan 22 14:32:53.658: ISAKMP:(2104): processing SA payload. message ID =
417444911
*Jan 22 14:32:53.658: ISAKMP:(2104):Checking IPSec proposal 0
*Jan 22 14:32:53.658: ISAKMP: transform 0, ESP_3DES
*Jan 22 14:32:53.658: ISAKMP: attributes in transform:
*Jan 22 14:32:53.658: ISAKMP: encaps is 1 (Tunnel)
*Jan 22 14:32:53.658: ISAKMP: SA life type in seconds
*Jan 22 14:32:53.658: ISAKMP: SA life duration (basic) of 28800
*Jan 22 14:32:53.658: ISAKMP: authenticator is HMAC-MD5
*Jan 22 14:32:53.658: ISAKMP:(2104):atts are acceptable.
*Jan 22 14:32:53.658: IPSEC(validate_proposal_request): proposal part #1
*Jan 22 14:32:53.658: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.254, remote= 192.168.2.254,
local_proxy= 172.16.0.2/255.255.255.255/0/0 (type=1),
remote_proxy= 172.16.0.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 22 14:32:53.658: IPSEC(crypto_ipsec_process_proposal): proxy
identities not supported
*Jan 22 14:32:53.658: ISAKMP:(2104): IPSec policy invalidated proposal
with error 32
*Jan 22 14:32:53.658: ISAKMP:(2104): phase 2 SA policy not acceptable!
(local 192.168.1.254 remote 192.168.2.254)
*Jan 22 14:32:53.658: ISAKMP: set new node -73935376 to QM_IDLE
Regards,
More information about the Users
mailing list