[Openswan Users] GRE over IPSec - Cisco endpoint

Tom Stockton tom at stocktons.org.uk
Fri Dec 18 08:13:42 EST 2009


Hi,
I'm trying to connect to a third party's Cisco using Openswan, they
are running a configuration very similar to that described here ..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

The third party are running the 'hub' and I'm trying to connect as one
of the remote sites.  The third party network engineer has advised me
that other customers have previously tried and failed to connect using
freeswan/openswan, however I'm determined to give it a go.

I can't get past phase 2 at the moment, but apparently this is because
phase 2 runs over GRE (I don't understand how this would work, but
this is how I'm told the cisco implementation operates).

Third party endpoint: 192.168.186.1
Third party subnet: 192.168.119.50/32, 192.168.124.1/32

Our endpoint: 192.168.4.240
Our subnet: 192.168.4.243/32


The relevant bits from the IOS config that would work are:

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key <password> address 192.168.186.1
!
!
crypto ipsec transform-set ThirdParty_transform esp-3des esp-md5-hmac
!
crypto map ThirdParty_IPSec 10 ipsec-isakmp
 set peer 192.168.186.1
 set transform-set ThirdParty_transform
 set pfs group2
 match address ThirdParty_encrypt
!
interface Tunnel0
 description - IPSec encryted GRE to ThirdParty -
 ip unnumbered FastEthernet4
 tunnel source FastEthernet4
 tunnel destination 192.168.186.1
 crypto map ThirdParty_IPSec
!
ip route 192.168.119.50 255.255.255.255 Tunnel0
ip route 192.168.124.1 255.255.255.255 Tunnel0
!
ip access-list extended ThirdParty_encrypt
 permit gre host 192.168.4.240 host 192.168.186.1

My ipsec.conf (not working) currently looks like this ..

conn ThirdParty
        type=tunnel
        authby=secret
        left=192.168.4.240
        leftsubnet=192.168.4.243/32
        right=192.168.186.1
        rightsubnets=192.168.119.50/32,192.168.124.1/32
        esp=3des-md5-96
        keyexchange=ike
        pfs=yes
        auto=start

I haven't attempted to do any GRE yet but I don't understand how I
would do it as part of the IPSec connection.  I can understand making
a GRE connection after the IPSec tunnel was setup but in this case the
IPSec and GRE endpoints are the same IP addresses so I don't
understand how I could route the GRE connection through the IPSec
tunnel without breaking IPSec ?

I could buy a cisco device (we already have one for another connection
to the same third party in a different colo) but that would be no fun.

Any advice much appreciated.

Thanks

Tom Stockton


More information about the Users mailing list