[Openswan Users] GRE over IPSec - Cisco endpoint
rehmer at teltarif.de
Fri Dec 18 11:03:59 EST 2009
> Date: Fri, 18 Dec 2009 14:13:42
> From: Tom Stockton <tom at stocktons.org.uk>
> To: users at openswan.org
> Subject: [Openswan Users] GRE over IPSec - Cisco endpoint
> I'm trying to connect to a third party's Cisco using Openswan, they
> are running a configuration very similar to that described here ..
> The third party are running the 'hub' and I'm trying to connect as one
> of the remote sites. The third party network engineer has advised me
> that other customers have previously tried and failed to connect using
> freeswan/openswan, however I'm determined to give it a go.
> I can't get past phase 2 at the moment, but apparently this is because
> phase 2 runs over GRE (I don't understand how this would work, but
> this is how I'm told the cisco implementation operates).
> Third party endpoint: 192.168.186.1
> Third party subnet: 192.168.119.50/32, 192.168.124.1/32
> Our endpoint: 192.168.4.240
> Our subnet: 192.168.4.243/32
> The relevant bits from the IOS config that would work are:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key <password> address 192.168.186.1
> crypto ipsec transform-set ThirdParty_transform esp-3des esp-md5-hmac
> crypto map ThirdParty_IPSec 10 ipsec-isakmp
> set peer 192.168.186.1
> set transform-set ThirdParty_transform
> set pfs group2
> match address ThirdParty_encrypt
> interface Tunnel0
> description - IPSec encryted GRE to ThirdParty -
> ip unnumbered FastEthernet4
> tunnel source FastEthernet4
> tunnel destination 192.168.186.1
> crypto map ThirdParty_IPSec
> ip route 192.168.119.50 255.255.255.255 Tunnel0
> ip route 192.168.124.1 255.255.255.255 Tunnel0
> ip access-list extended ThirdParty_encrypt
> permit gre host 192.168.4.240 host 192.168.186.1
> My ipsec.conf (not working) currently looks like this ..
> conn ThirdParty
> I haven't attempted to do any GRE yet but I don't understand how I
> would do it as part of the IPSec connection. I can understand making
> a GRE connection after the IPSec tunnel was setup but in this case the
> IPSec and GRE endpoints are the same IP addresses so I don't
> understand how I could route the GRE connection through the IPSec
> tunnel without breaking IPSec ?
> I could buy a cisco device (we already have one for another connection
> to the same third party in a different colo) but that would be no fun.
> Any advice much appreciated.
> Tom Stockton
For an working gre Tunnel you first need an established ipsec Tunnel. So
your first step schould be to establish an definitly tunnel with ipsec.
As a hint try the following HOWTOs
More information about the Users