[Openswan Users] GRE over IPSec - Cisco endpoint
Andreas Rehmer
rehmer at teltarif.de
Fri Dec 18 11:03:59 EST 2009
> Date: Fri, 18 Dec 2009 14:13:42
> From: Tom Stockton <tom at stocktons.org.uk>
> To: users at openswan.org
> Subject: [Openswan Users] GRE over IPSec - Cisco endpoint
>
> Hi,
> I'm trying to connect to a third party's Cisco using Openswan, they
> are running a configuration very similar to that described here ..
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
>
> The third party are running the 'hub' and I'm trying to connect as one
> of the remote sites. The third party network engineer has advised me
> that other customers have previously tried and failed to connect using
> freeswan/openswan, however I'm determined to give it a go.
>
> I can't get past phase 2 at the moment, but apparently this is because
> phase 2 runs over GRE (I don't understand how this would work, but
> this is how I'm told the cisco implementation operates).
>
> Third party endpoint: 192.168.186.1
> Third party subnet: 192.168.119.50/32, 192.168.124.1/32
>
> Our endpoint: 192.168.4.240
> Our subnet: 192.168.4.243/32
>
>
> The relevant bits from the IOS config that would work are:
>
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key <password> address 192.168.186.1
> !
> !
> crypto ipsec transform-set ThirdParty_transform esp-3des esp-md5-hmac
> !
> crypto map ThirdParty_IPSec 10 ipsec-isakmp
> set peer 192.168.186.1
> set transform-set ThirdParty_transform
> set pfs group2
> match address ThirdParty_encrypt
> !
> interface Tunnel0
> description - IPSec encryted GRE to ThirdParty -
> ip unnumbered FastEthernet4
> tunnel source FastEthernet4
> tunnel destination 192.168.186.1
> crypto map ThirdParty_IPSec
> !
> ip route 192.168.119.50 255.255.255.255 Tunnel0
> ip route 192.168.124.1 255.255.255.255 Tunnel0
> !
> ip access-list extended ThirdParty_encrypt
> permit gre host 192.168.4.240 host 192.168.186.1
>
> My ipsec.conf (not working) currently looks like this ..
>
> conn ThirdParty
> type=tunnel
> authby=secret
> left=192.168.4.240
> leftsubnet=192.168.4.243/32
> right=192.168.186.1
> rightsubnets=192.168.119.50/32,192.168.124.1/32
> esp=3des-md5-96
> keyexchange=ike
> pfs=yes
> auto=start
>
> I haven't attempted to do any GRE yet but I don't understand how I
> would do it as part of the IPSec connection. I can understand making
> a GRE connection after the IPSec tunnel was setup but in this case the
> IPSec and GRE endpoints are the same IP addresses so I don't
> understand how I could route the GRE connection through the IPSec
> tunnel without breaking IPSec ?
>
> I could buy a cisco device (we already have one for another connection
> to the same third party in a different colo) but that would be no fun.
>
> Any advice much appreciated.
>
> Thanks
>
> Tom Stockton
For an working gre Tunnel you first need an established ipsec Tunnel. So
your first step schould be to establish an definitly tunnel with ipsec.
As a hint try the following HOWTOs
http://wiki.openswan.org/index.php/Interop/InteroperatingCisco
More information about the Users
mailing list