[Openswan Users] GRE over IPSec - Cisco endpoint

Tom Stockton tom at stocktons.org.uk
Fri Dec 18 08:13:42 EST 2009

I'm trying to connect to a third party's Cisco using Openswan, they
are running a configuration very similar to that described here ..


The third party are running the 'hub' and I'm trying to connect as one
of the remote sites.  The third party network engineer has advised me
that other customers have previously tried and failed to connect using
freeswan/openswan, however I'm determined to give it a go.

I can't get past phase 2 at the moment, but apparently this is because
phase 2 runs over GRE (I don't understand how this would work, but
this is how I'm told the cisco implementation operates).

Third party endpoint:
Third party subnet:,

Our endpoint:
Our subnet:

The relevant bits from the IOS config that would work are:

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key <password> address
crypto ipsec transform-set ThirdParty_transform esp-3des esp-md5-hmac
crypto map ThirdParty_IPSec 10 ipsec-isakmp
 set peer
 set transform-set ThirdParty_transform
 set pfs group2
 match address ThirdParty_encrypt
interface Tunnel0
 description - IPSec encryted GRE to ThirdParty -
 ip unnumbered FastEthernet4
 tunnel source FastEthernet4
 tunnel destination
 crypto map ThirdParty_IPSec
ip route Tunnel0
ip route Tunnel0
ip access-list extended ThirdParty_encrypt
 permit gre host host

My ipsec.conf (not working) currently looks like this ..

conn ThirdParty

I haven't attempted to do any GRE yet but I don't understand how I
would do it as part of the IPSec connection.  I can understand making
a GRE connection after the IPSec tunnel was setup but in this case the
IPSec and GRE endpoints are the same IP addresses so I don't
understand how I could route the GRE connection through the IPSec
tunnel without breaking IPSec ?

I could buy a cisco device (we already have one for another connection
to the same third party in a different colo) but that would be no fun.

Any advice much appreciated.


Tom Stockton

More information about the Users mailing list