[Openswan Users] GRE over IPSec - Cisco endpoint
Michael Smith
msmith at cbnco.com
Fri Dec 18 11:15:57 EST 2009
Tom Stockton wrote:
> My ipsec.conf (not working) currently looks like this ..
>
> conn ThirdParty
> type=tunnel
> authby=secret
> left=192.168.4.240
> leftsubnet=192.168.4.243/32
> right=192.168.186.1
> rightsubnets=192.168.119.50/32,192.168.124.1/32
> esp=3des-md5-96
> keyexchange=ike
> pfs=yes
> auto=start
Try something lke this:
conn ThirdParty
type=transport
authby=secret
left=192.168.4.240
leftprotoport=gre
right=192.168.186.1
rightprotoport=gre
esp=3des-md5-96
keyexchange=ike
pfs=yes
auto=start
Then set up a GRE tunnel:
ip tunnel add name tun_third mode gre local 192.168.4.240 \
remote 192.168.186.1
ip link set tun_third up
It'll be easier for troubleshooting if the tunnel interface on each end
has an IP address, so you can ping across. On the Cisco side, I think
you have to give Tunnel0 an IP and netmask like 255.255.255.252. On
Linux you can just do:
ip addr add my.tunnel.ip peer other.tunnel.ip dev tun_third
Finally add routes for whatever you need going through tun_third.
On the Cisco side, the provider might have to set "mode transport" on
their crypto ipsec transform-set.
Mike
More information about the Users
mailing list