gre, ipsec, can't detunnel

Valentin Nechayev netch at lucky.net
Fri Feb 20 01:00:45 PST 2004 

Trying to set up ipsec'ed tunnel with explicit routing to it.
Having 2 FreeBSD's (quarta - 4.9, grizzly - 5.2.1).

root at grizzly:~>>
# ifconfig gre0
gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
        tunnel inet 193.193.193.138 --> 193.193.193.11
        inet 10.0.0.2 --> 10.0.0.1 netmask 0xffffffff

root at quarta:~>>
# ifconfig gre1
gre1: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> mtu 1476
        tunnel inet 193.193.193.11 --> 193.193.193.138
        inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff

Interaction 10.0.0.1 <-> 10.0.0.2 works ok.
Adding IPSEC transport between external sides of tunnel:

root at grizzly:~>>
# less /etc/ipsec.conf 
flush;
add 193.193.193.11 193.193.193.138 esp 1100 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
add 193.193.193.138 193.193.193.11 esp 1101 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
spdflush;
spdadd 193.193.193.138/32 193.193.193.11/32 any -P out ipsec esp/transport//use;
spdadd 193.193.193.11/32 193.193.193.138/32 any -P in ipsec esp/transport//use;

root at quarta:~>>
# less /etc/ipsec.conf   
flush;
add 193.193.193.11 193.193.193.138 esp 1100 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
add 193.193.193.138 193.193.193.11 esp 1101 -m transport -E des-cbc "01239876" -A keyed-md5 "dafa0066a4fc7788";
spdflush;
spdadd 193.193.193.11/32 193.193.193.138/32 any -P out ipsec esp/transport//use;
spdadd 193.193.193.138/32 193.193.193.11/32 any -P in ipsec esp/transport//use;

(IKE is disabled specially to simplify functioning.)

Well, all interaction of external IPs is OK, with encryption and decryption.
But interaction of internal IP's (e.g. `ping 10.0.0.2') fails.

The same setup works in the following cases:
- Encryption of packets going to GRE tunnel on FreeBSD and decryption
on Cisco 7140 (well, with des-cbc, but disabling AH between FreeBSD's
doesn't fix the problem): I see them after Cisco.
- Encryption and decryption when tunnel is switched from GRE to IPIP
(device gif).

So, the only problem side is obtaining packets from GRE after IPSEC
decryption: it fails on FreeBSD without any understandable reason.

Questions here:
1. Did anybody seen the same problem?
2. Is it relative to my setup? If yes, why Cisco 7140 is able to decrypt
and detunnel IPSEC+GRE?

Admin for this Cisco router doesn't want to select IPIP encapsulation
due to CEF problems, so I want to give maximal efforts to run it with GRE.

P.S. Tunnel IPSEC mode also doesn't help, with the same result
(Cisco can decrypt, FreeBSD can't).


-netch-

More information about the freebsd-net mailing list