So I was doing some work for a friend of mine in the Market Delivery Network who's using a linux host and we ran into an issue where our ipsec tunnel was up but the GRE encapsulation over the tunnel was not working.
We had put this design into place over 2 years ago and it was moved to a new host and had issues. So I was scratching my head to figure out what was happening.
What we found was the gre interface had TX errors;
So after hours and hours recreating the gre interface, I finally figured out the SRC IP of our GRE1 interface was not configured. So the tunnel had no means to source the gre traffic
Once we set up the src.ip on a dummy interface, the tunnel came up and our pim neighborship was established
sample dummy1 interface sysconfig;
[root@host01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-dummy1
DEVICE=dummy0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
BRIDGE=virbr10
IPV6INIT=no
IPADDR=10.247.0.39
NETMASK=255.255.255.255
Sample ipsec.conf strongswan
# CERT FEEDS 69.50.112.0/25
# CERT/NR A-Feed/B-Feed MDP Source Range
#CERT FEEDS 69.50.112.128/25 CERT/NR Mediator IP Source Range
#
#CERT FEEDS 69.50.112.254/32 CERT/NR A-Feed/B-Feed RP
conn CERT01
type=tunnel
compress=no
authby=secret
left=<my public address>
right=164.74.129.26
ikelifetime=86400s
lifetime=3600s
keyexchange=ikev1
keyingtries=%forever
rekey=yes
auto=start
ike=aes256-sha1-modp1024
esp=aes256-sha1
#dpdtimeout= 120s
#dpdaction=restart
conn CERT01A
# phase2 for unicast traffic e.g order entry CME group
leftsubnet=10.247.39.64/26
rightsubnet=69.50.112.128/25
also=CERT01
# phase2 for GRE and multicast CME group
conn CERT01B
leftsubnet=10.247.0.39/32
rightsubnet=10.247.254.1/32
also=CERT01
leftupdown=/etc/strongswan/cme_mcast.sh
NSE ( network security expert) and Route/Switching Engineer
No comments:
Post a Comment