Comments on: Setting up IPSec over GRE on OpenBSD

By: icmp: 224.0.0.5 protocol 89 port 44 unreachable (gre encap) - Error over IPSEC/GRE

Sat, 03 Mar 2012 13:31:14 +0000

[...] http://www.kernel-panic.it/openbsd/vpn/vpn3.html http://www.openbsdsupport.org/vpn-ipsec.html http://bsdsupport.org/2007/05/settin…re-on-openbsd/ Here is what I have done, in a Virtual Box setup: (Simulated) Internal Network1: 88.88.88.0/23 [...]

By: Matt

Matt — Mon, 03 Jan 2011 04:39:27 +0000

Is it mandatory to use the additional 172.16.X.X addresses? Could you not just set up a gre tunnel using the public IPs as your outter header and two private IPs from the internal networks as the inner header? It seems to be that the extra tunnel endpoints are just extra configuration.

By: Imre

Imre — Sun, 13 Jul 2008 21:18:14 +0000

Hi! I found this article very useful, followed it and managed to get myself working soluton (though actually i used gif interfaces), thanks! But one remark, if routing traffic over ipsec between two private networks, does it really suffice to have ‘ike esp transport from 10.0.0.5 to 192.168.0.5′ and not tunneling? I tested it and saw traffic unencripted until i added something like ‘ike esp tunnel from subnet to sunbet peer 172.16.0.x’.

@Imre
The addresses used in this were for example only. Transport is used for the two endpoints of the gre tunnel. The gre tunnel itself (and the routes that are added) takes care of the networks behind the endpoints. You could do this with IPSec in tunnel mode but I’ve found transport to be more efficient. For example I run ospf on both endpoints and redistribute numerous routes. This could result in a large number of ipsec tunnels. Instead if you simply encrypt the traffic between the gre endpoints you can dynamically add networks behind the endpoints without having the be concerned with updating ipsec. Hope this helps shed some light on your options and why I made the choices I did.

By: Jeff

Jeff — Sat, 10 Nov 2007 01:35:13 +0000

@JMA
If the IPSec tunnel crashes, you should still be safe because your ipsec rules are configured to _require_ encryption for outbound traffic to the gre end-point. If the encryption is not present the traffic will not flow.

By: Jeff

Jeff — Sat, 10 Nov 2007 01:24:09 +0000

@TriBudi
In order to NAT the private addresses on host B to the public interface on host A, first you’ll need to setup a static route. For example on host B you’d.

route add -net 10.0.0 192.168.0.1

This allows the GRE tunnel to continue to function when you remove the default route. Again on host B.

route delete default
route add default 172.16.0.1

Now host A’s gre tunnel interface will be host B’s default route. Finally you would setup the proper nat statements in host A’s pf.conf as you would for any other network.