[c-nsp] IPSEC - CISCO (GRE and NAT too!)

Wed Nov 1 15:38:51 EST 2006

> On Tue, Oct 31, 2006 at 05:30:16PM -0500, Tuc at T-B-O-H.NET wrote:
> > ERDA/192.136.64.116/IPSEC-TOOLS:
> > 
> > erda# cd /usr/local/etc/racoon/
> > erda# cat psk.txt 
> > 69.28.185.2     donttell
> > erda# cat spdadd
> >          setkey -F
> >          setkey -FP
> >          setkey -c <<EOF
> >         spdadd 0.0.0.0/0 172.16.0.0/24 any -P out ipsec
> > esp/tunnel/192.136.64.116-69.28.185.2/unique ;
> >         spdadd 172.16.0.0/24 0.0.0.0/0 any -P in ipsec
> > esp/tunnel/69.28.185.2-192.136.64.116/unique ;
> 
> I'm fairly sure that this will not do what you want -- at least not the 
> way I've understood your original problem ("set up an ecrypted GRE tunnel").
> 
> *This* is a typical "connection to a remote site over IPSEC (!) tunnel"
> setup - it will encrypt everything between "all local addresses" and
> "172.16.0.0/24", but it will not care for GRE tunnels or whatever.
> 
> If you want GRE tunnel + IPSEC, you need to encrypt *only* (!) packets
> with the source and destination IP address matching the tunnel endpoints.
> 
> 
> Maybe you could describe your goals a bit more detailed?  Until now, you've
> posted non-working fragments, but fragments of "different problems" every
> time - understanding your aims might help us in helping you with a solution.
> 
> gert
Hi Gert and all,

	Ok, It seems I'm really having issues making myself clear these
past few weeks. SO, as Gert suggested, let me back up a bit, explain myself
and then maybe it'll make all sense.

	I have an unmanned site in North Carolina that is only accessible 
via a 4WD truck with a consumer satellite provider. I wanted to set up a 
connection between this site and our servers in a colo hotel in NYC. If 
the connection was a full connection that allowed anything inbound/outbound 
it would be the end of my problems. Its not. Its filtered not to let 
ANYTHING inbound, and NAT'd as well. 

	So I put a Soekris box in NC running FreeBSD 5.5 and OpenVPN and
it was PERFECT. Until the first power outage and the Soekris didn't come
back up. So I decided to go over to a Cisco/IPSEC-Tools based solution.
I found the article :

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

	that seemed to do what I wanted to do. So I tried to get it
running with IPSEC-Tools. Since I was stabbing in the dark it didn't
go well. 

	So I went to check to see if I could run a GRE by itself 
to the Cisco on a public fully accessible IP (Ok, so it was over an
OpenVPN link which was forwarded). That worked fine. 

	So then I went to put IPSec-Tools on my server in NYC, and
then configured the Cisco in NC. It wasn't working at all. So I
decided to take a step back and just get IPSec working. (Thats 
what this email was about). It didn't work and I was confused since
I was pretty sure I was cutting and pasting correctly. I futzed with
it for a few days, and then just for shites and giggles I recompiled
IPSEC-Tools w/o NATT, and the connection immediately came up!

	So now I can do a GRE without any issues. The next step is to
start tuning the IPSec side of it to see if I can speed things up
and not run into any issues with reboots, timeouts, etc. If anyone
has any suggestions for that, please let me know. It seems even
when I'm on a cable modem, its taking about 15 seconds for the
tunnel to negotiate and come up. The next step will be to tunnel
the GRE inside the IPSec. I'll run that for a while. Then, for
the last step it will be time to put the Cisco behind a firewall
NAT'd and see if I can get that running. Once it does, then 
I'll be done with what I need.

	So yes, your right, this doesn't get me to the end state,
but I had previously tried to do it all at the same time w/o it
working properly. I had mentioned I tried to take a step back,
but I guess I didn't explain WHERE I was stepping back to. 

	I'm trying to persue the issues with the IPSec-Tools people
since if I can't understand why the NATT isn't working, I don't
think I'll get far. But at this stage I still do look for any
comments about the config "as is" for now, and any way to increase
its speed. (Or any comments about using NATT on the Cisco side)

		Thanks, Tuc