[Openswan Users] GRE over IPSec - Cisco endpoint
Tom Stockton
tom at stocktons.org.uk
Fri Dec 18 08:13:42 EST 2009
Hi,
I'm trying to connect to a third party's Cisco using Openswan, they
are running a configuration very similar to that described here ..
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
The third party are running the 'hub' and I'm trying to connect as one
of the remote sites. The third party network engineer has advised me
that other customers have previously tried and failed to connect using
freeswan/openswan, however I'm determined to give it a go.
I can't get past phase 2 at the moment, but apparently this is because
phase 2 runs over GRE (I don't understand how this would work, but
this is how I'm told the cisco implementation operates).
Third party endpoint: 192.168.186.1
Third party subnet: 192.168.119.50/32, 192.168.124.1/32
Our endpoint: 192.168.4.240
Our subnet: 192.168.4.243/32
The relevant bits from the IOS config that would work are:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key <password> address 192.168.186.1
!
!
crypto ipsec transform-set ThirdParty_transform esp-3des esp-md5-hmac
!
crypto map ThirdParty_IPSec 10 ipsec-isakmp
set peer 192.168.186.1
set transform-set ThirdParty_transform
set pfs group2
match address ThirdParty_encrypt
!
interface Tunnel0
description - IPSec encryted GRE to ThirdParty -
ip unnumbered FastEthernet4
tunnel source FastEthernet4
tunnel destination 192.168.186.1
crypto map ThirdParty_IPSec
!
ip route 192.168.119.50 255.255.255.255 Tunnel0
ip route 192.168.124.1 255.255.255.255 Tunnel0
!
ip access-list extended ThirdParty_encrypt
permit gre host 192.168.4.240 host 192.168.186.1
My ipsec.conf (not working) currently looks like this ..
conn ThirdParty
type=tunnel
authby=secret
left=192.168.4.240
leftsubnet=192.168.4.243/32
right=192.168.186.1
rightsubnets=192.168.119.50/32,192.168.124.1/32
esp=3des-md5-96
keyexchange=ike
pfs=yes
auto=start
I haven't attempted to do any GRE yet but I don't understand how I
would do it as part of the IPSec connection. I can understand making
a GRE connection after the IPSec tunnel was setup but in this case the
IPSec and GRE endpoints are the same IP addresses so I don't
understand how I could route the GRE connection through the IPSec
tunnel without breaking IPSec ?
I could buy a cisco device (we already have one for another connection
to the same third party in a different colo) but that would be no fun.
Any advice much appreciated.
Thanks
Tom Stockton
More information about the Users
mailing list