GRETAP over IPSEC ESP using ip-xfrm

Question

I need to set up an IPSEC tunnel between two systems using ip xfrm commands, suitable for running ISIS over. Thanks to examples on the web, I am able to create either an XFRM or VTI link that works for everything except, of course, running ISIS (because ESP carries only IP, and ISIS Hello packets are LLC/MAC.)

I also am able to set up a GRETAP or GENEVE tunnel between the systems, and ISIS works over that. So I'd like to (if possible) encrypt the this tunnel using ESP.

Ignoring details on how the GRETAP/GENEVE tunnel interface is created, I am trying to add IPSEC using the following (running same script on both systems, except for the first line.)

GW=1 # (or 2, for the other system)

GW1_PUBIP=172.22.0.5
GW2_PUBIP=172.23.0.6
PRIVNET=192.168.12 # address prefix on the GRETAP or GENEVE link
SPI=0x1234
AUTHKEY=0x0123456789ABCDEF0123456789ABCDEF
ENCKEY=0xFEDCBA9876543210FEDCBA9876543210
if [[ $GW == 1 ]]; then
    LOC_PUB=$GW1_PUBIP REM_PUB=$GW2_PUBIP LOC_PRI=$PRIVNET.2 REM_PRI=$PRIVNET.3
else
    LOC_PUB=$GW2_PUBIP REM_PUB=$GW1_PUBIP LOC_PRI=$PRIVNET.3 REM_PRI=$PRIVNET.2
fi 
PUBIP=$(ifconfig eth0 | grep inet | tr -s ' ' | cut -d' ' -f3) # trigger guard
if [[ $PUBIP == $LOC_PUB ]]; then # trigger guard
    ip xfrm state flush
    ip xfrm policy flush
    ip xfrm state add src $LOC_PUB dst $REM_PUB proto esp spi $SPI mode tunnel auth sha256 $AUTHKEY enc aes $ENCKEY
    ip xfrm state add src $REM_PUB dst $LOC_PUB proto esp spi $SPI mode tunnel auth sha256 $AUTHKEY enc aes $ENCKEY
    ip xfrm policy add src $LOC_PRI dst $REM_PRI dir out tmpl src $LOC_PUB dst $REM_PUB proto esp spi $ID mode tunnel
    ip xfrm policy add src $REM_PRI dst $LOC_PRI dir in tmpl src $REM_PUB dst $LOC_PUB proto esp spi $SPI mode tunnel
    ip xfrm policy add src $REM_PRI dst $LOC_PRI dir fwd tmpl src $REM_PUB dst $LOC_PUB proto esp spi $SPI mode tunnel
    ping -c 5 $REM_PRI
fi

This works for pings between the systems, but not for transit traffic. Also, I doubt it would work for multiple tunnels between two systems.

Tcpdump results for system-system traffic (on the responding system):

[root@90c8710c0faa /]# tcpdump -nevi eth0 esp
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:26:48.206545 02:42:64:b4:1e:61 > 02:42:ac:17:00:06, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 63, id 2297, offset 0, flags [DF], proto ESP (50), length 152)
    172.22.0.5 > 172.23.0.6: ESP(spi=0x00001234,seq=0xb), length 132
14:26:48.206589 02:42:ac:17:00:06 > 02:42:64:b4:1e:61, ethertype IPv4 (0x0800), length 166: (tos 0x0, ttl 64, id 5677, offset 0, flags [none], proto ESP (50), length 152)
    172.23.0.6 > 172.22.0.5: ESP(spi=0x00001234,seq=0x9), length 132

XFRM monitor:

[root@90c8710c0faa /]# ip xfrm monitor all
Async event  (0x10)  replay update 
    src 172.23.0.6 dst 172.22.0.5  reqid 0x0 protocol esp  SPI 0x1234

For transit traffic, both print nothing, on either system.

Jeff Learman · Answer 1 · 2022-06-23T16:36:02.853

The problem with the above is that the policy matches only traffic using the local IP addresses. It doesn't match relayed packets that are forwarded to the remote local IP, and it doesn't match the ISIS packets. The following works, as the policies match the encapsulated packets, using the public addresses.

GW=1 # or 2, for the other system

GW1_PUBIP=172.22.0.5 # ifconfig eth0  | grep inet | tr -s ' ' | cut -d' ' -f3
GW2_PUBIP=172.23.0.6
PRIVNET=192.168.12 # address prefix on the GRETAP link
SPI=0x1234
AUTHKEY=0x0123456789ABCDEF0123456789ABCDEF
ENCKEY=0xFEDCBA9876543210FEDCBA9876543210 
if [[ $GW == 1 ]]; then
    LOC_PUB=$GW1_PUBIP REM_PUB=$GW2_PUBIP LOC_PRI=$PRIVNET.2 REM_PRI=$PRIVNET.3
else
    LOC_PUB=$GW2_PUBIP REM_PUB=$GW1_PUBIP LOC_PRI=$PRIVNET.3 REM_PRI=$PRIVNET.2
fi  
PUBIP=$(ifconfig eth0 | grep inet | tr -s ' ' | cut -d' ' -f3)
if [[ $PUBIP == $LOC_PUB ]]; then # trigger guard
    ip xfrm state flush
    ip xfrm policy flush
    ip xfrm state add src $LOC_PUB dst $REM_PUB proto esp spi $SPI mode tunnel auth sha256 $AUTHKEY enc aes $ENCKEY
    ip xfrm state add src $REM_PUB dst $LOC_PUB proto esp spi $SPI mode tunnel auth sha256 $AUTHKEY enc aes $ENCKEY
    ip xfrm policy add src $LOC_PUB dst $REM_PUB dir out tmpl src $LOC_PUB dst $REM_PUB proto esp spi $SPI mode tunnel
    ip xfrm policy add src $REM_PUB dst $LOC_PUB dir in tmpl src $REM_PUB dst $LOC_PUB proto esp spi $SPI mode tunnel
    ip xfrm policy add src $REM_PUB dst $LOC_PUB dir fwd tmpl src $REM_PUB dst $LOC_PUB proto esp spi $SPI mode tunnel
    ping -c 5 $REM_PRI
fi

A limitation of this is that it won't support multiple tunnels between two systems, since it keys only on the public IP addresses (which would match for multiple GRETAP or GENEVE tunnels.)

I'll be happy to change the selected answer to a better example, or one with more explanation of the mysteries of `xfrm`. — Jeff Learman, Jun 21 '22 at 18:14
Multiple tunnels between two systems might be supportable using ports. — Jeff Learman, Jun 24 '22 at 17:37

GRETAP over IPSEC ESP using ip-xfrm

1 Answers1