IPsec + GRE messes OpenVPN routing

ebalcsk · August 23, 2020, 7:50am

Hello

I trying to configure a following IPsec tunnel (i will want to configure latter on OSPF with GRE).
This is my setup:

In OWRT-V-01 i have a following config:

config openvpn 'test_1'
        option dev 'tun'
        option mssfix '1420'
        option keepalive '10 60'
        option verb '3'
        option comp_lzo 'yes'
        option ifconfig '10.20.0.1 10.20.0.2'
        option secret '/etc/openvpn/test.key'
        option enabled '1'

In OWRT-V-02 i have a following config:

config openvpn 'test_1'
        option dev 'tun'
        option nobind '1'
        option verb '3'
        option comp_lzo 'yes'
        option ifconfig '10.20.0.2 10.20.0.1'
        option secret '/etc/openvpn/test.key'
        option enabled '1'
        list remote '192.168.56.2'

From the logs it looks working:

Sun Aug 23 06:31:34 2020 daemon.notice openvpn(test_1)[31132]: Peer Connection Initiated with [AF_INET]192.168.56.3:59467
Sun Aug 23 06:31:35 2020 daemon.notice openvpn(test_1)[31132]: Initialization Sequence Completed

But i cannot ping the tunnel ip's

and it looks like the route is installed towards the wrong interface eth1 insted of br-mng

root@OWRT-V-02:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.3.2        0.0.0.0         UG        0 0          0 eth1
10.0.3.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.1.0.0        172.16.12.1     255.255.255.0   UG        0 0          0 gre4-gre1
10.2.0.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy0
10.2.1.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy1
10.2.2.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy2
10.20.0.1       10.0.3.2        255.255.255.255 UGH       0 0          0 eth1
10.20.0.1       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.16.12.0     0.0.0.0         255.255.255.252 U         0 0          0 gre4-gre1
192.168.56.0    0.0.0.0         255.255.255.0   U         0 0          0 br-mng

vgaetera · August 23, 2020, 8:29am

# OWRT-V-02
ip route del 10.20.0.1 dev eth1
ping -w 3 10.20.0.1

Also check your network config.

ebalcsk · August 23, 2020, 8:48am

Grate!

yes i needed to delete that route in both of the router .

root@OWRT-V-02:~# ping -w 3 10.20.0.1
PING 10.20.0.1 (10.20.0.1): 56 data bytes
64 bytes from 10.20.0.1: seq=0 ttl=64 time=0.962 ms
64 bytes from 10.20.0.1: seq=1 ttl=64 time=0.700 ms
64 bytes from 10.20.0.1: seq=2 ttl=64 time=0.939 ms

It looks like cased by the GRE tunnel config. if i removing that section and rebooting no problem.
I dont think there is a problem with my GRE config i tryed it in a phisical interface and it worked.

I am thinking the problem might be GRE is initializing before IPsec tunnel is ready.

I wonder what should i do?

In OWRT-V-01 i have a following config:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'loopback1'
        option proto 'static'
        option ipaddr '10.1.0.1'
        option netmask '255.255.255.0'
        option ifname 'dummy0'

config interface 'loopback2'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ifname 'dummy1'

config interface 'loopback3'
        option proto 'static'
        option ipaddr '10.1.2.1'
        option netmask '255.255.255.0'
        option ifname 'dummy2'


config globals 'globals'
        option ula_prefix 'fd85:e101:7515::/48'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'mng'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0'
        option ipaddr '192.168.56.2'

config interface 'gre1'
        option ipaddr '10.20.0.1'
        option peeraddr '10.20.0.2'
        option proto 'gre'

config interface 'gre1_static'
        option proto 'static'
        option ifname '@gre1'
        option ipaddr '172.16.12.1'
        option netmask '255.255.255.252'

config route 'tunnel'
        option interface 'gre1_static'
        option target '10.2.0.0'
        option netmask '255.255.255.0'
        option gateway '172.16.12.2'

In OWRT-V-02 i have a following config:


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.255.255.0'

config interface 'loopback1'
        option proto 'static'
        option ipaddr '10.2.0.1'
        option netmask '255.255.255.0'
        option ifname 'dummy0'

config interface 'loopback2'
        option proto 'static'
        option ipaddr '10.2.1.1'
        option netmask '255.255.255.0'
        option ifname 'dummy1'

config interface 'loopback3'
        option proto 'static'
        option ipaddr '10.2.2.1'
        option netmask '255.255.255.0'
        option ifname 'dummy2'

config globals 'globals'
        option ula_prefix 'fd85:e101:7515::/48'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'mng'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0'
        option ipaddr '192.168.56.3'


config interface 'gre1'
        option ipaddr '10.20.0.2'
        option peeraddr '10.20.0.1'
        option proto 'gre'

config interface 'gre1_static'
        option proto 'static'
        option ifname '@gre1'
        option ipaddr '172.16.12.2'
        option netmask '255.255.255.252'

config route 'tunnel'
        option interface 'gre1_static'
        option target '10.1.0.0'
        option netmask '255.255.255.0'
        option gateway '172.16.12.1'

ebalcsk · August 23, 2020, 12:03pm

it looks like this is the part which make it bad the ipsec tunnel and it is happaning also if i configuret after the Ipsec tunnel is up.

config interface 'gre1'
        option ipaddr '10.20.0.1'  #in the other router it is the oposit
        option peeraddr '10.20.0.2' #in the other router it is the oposit
        option proto 'gre'

before starting up we have a route like:

10.20.0.1       0.0.0.0         255.255.255.255 UH        0 0          0 tun0

after it GRE is started it is changed to

10.20.0.1       10.0.3.2        255.255.255.255 UGH       0 0          0 eth1

ebalcsk · August 23, 2020, 12:38pm

if i use the following config
OWRT-V-01 :

config interface 'gre1'
        option ipaddr '10.20.0.1'
        option peeraddr '10.20.0.2'
        option proto 'gre'

config interface 'gre1_static'
        option proto 'static'
        option ifname '@gre1'
        option ipaddr '172.16.12.1'
        option netmask '255.255.255.252'

OWRT-V-02 :

config interface 'gre1'
        option ipaddr '10.20.0.2'
        option peeraddr '10.20.0.1'
        option proto 'gre'

config interface 'gre1_static'
        option proto 'static'
        option ifname '@gre1'
        option ipaddr '172.16.12.2'
        option netmask '255.255.255.252'

and after reboot executing:

ip route del 10.20.0.1 dev eth1
ip route add 10.20.0.1 dev tun0

ip route del 10.20.0.2 dev eth1
ip route add 10.20.0.2 dev tun0

routing table looks good and ping is working:

root@OWRT-V-01:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.3.2        0.0.0.0         UG        0 0          0 eth1
10.0.3.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.1.0.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy0
10.1.1.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy1
10.1.2.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy2
10.20.0.2       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.16.12.0     0.0.0.0         255.255.255.252 U         0 0          0 gre4-gre1
192.168.56.0    0.0.0.0         255.255.255.0   U         0 0          0 br-mng

root@OWRT-V-02:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.3.2        0.0.0.0         UG        0 0          0 eth1
10.0.3.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.2.0.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy0
10.2.1.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy1
10.2.2.0        0.0.0.0         255.255.255.0   U         0 0          0 dummy2
10.20.0.1       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
172.16.12.0     0.0.0.0         255.255.255.252 U         0 0          0 gre4-gre1
192.168.56.0    0.0.0.0         255.255.255.0   U         0 0          0 br-mng

I wonder how to modify my config to interface come up automatically.
Also i feel my way to bring up GRE interface is hackey

ebalcsk · August 23, 2020, 1:15pm

If need i can share the virtualbox images. I just dont know where it is possible to upload here.

ebalcsk · August 23, 2020, 7:16pm

Hello

I tryed but not worked.
I might doing something wrong?

config interface 'gre1'
        option ipaddr '10.20.0.2'
        option peeraddr '10.20.0.1'
        option proto 'gre'
        option ip4table 'special'


config interface 'gre1_static'
        option proto 'static'
        option ifname '@gre1'
        option ipaddr '172.16.12.2'
        option netmask '255.255.255.252'
        option ip4table 'special'

ebalcsk · August 23, 2020, 8:24pm

unfortunatley it is not changed much in the situation

config interface 'gre1'
        option ipaddr '10.20.0.2'
        option peeraddr '10.20.0.1'
        option proto 'gre'
        option ip4table '1'

config interface 'gre1_static'
        option proto 'static'
        option ifname '@gre1'
        option ipaddr '172.16.12.2'
        option netmask '255.255.255.252'

Unfortunately i not see too much in the logs (except IPsec in a crash loop i guess because of the wrong gateway)

Sun Aug 23 20:06:20 2020 daemon.warn openvpn(test_1)[2087]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: OpenVPN 2.4.7 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Sun Aug 23 20:06:20 2020 daemon.warn openvpn(test_1)[2087]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Sun Aug 23 20:06:20 2020 daemon.warn openvpn(test_1)[2087]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: TUN/TAP device tun0 opened
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: TUN/TAP TX queue length set to 100
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: /sbin/ifconfig tun0 10.20.0.2 pointopoint 10.20.0.1 mtu 1500
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.56.2:1194
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: UDP link local: (not bound)
Sun Aug 23 20:06:20 2020 daemon.notice openvpn(test_1)[2087]: UDP link remote: [AF_INET]192.168.56.2:1194
Sun Aug 23 20:06:20 2020 daemon.info procd: - init complete -
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Network device 'eth1' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'wan' has link connectivity
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'wan' is setting up now
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Network device 'eth0' link is up
Sun Aug 23 20:06:22 2020 local1.info Keepalived_vrrp[1942]: Netlink reports br-mng up
Sun Aug 23 20:06:22 2020 local1.info Keepalived_vrrp[1942]: (VI_1) Entering BACKUP STATE
Sun Aug 23 20:06:22 2020 daemon.notice netifd: bridge 'br-mng' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'mng' has link connectivity
Sun Aug 23 20:06:22 2020 kern.info kernel: [    8.800904] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Sun Aug 23 20:06:22 2020 kern.info kernel: [    8.802212] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Sun Aug 23 20:06:22 2020 kern.info kernel: [    8.803074] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Sun Aug 23 20:06:22 2020 kern.info kernel: [    8.803626] br-mng: port 1(eth0) entered blocking state
Sun Aug 23 20:06:22 2020 kern.info kernel: [    8.804025] br-mng: port 1(eth0) entered forwarding state
Sun Aug 23 20:06:22 2020 kern.info kernel: [    8.805432] IPv6: ADDRCONF(NETDEV_CHANGE): br-mng: link becomes ready
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: started, v1.30.1
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: sending discover
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: sending select for 10.0.3.15
Sun Aug 23 20:06:22 2020 daemon.notice netifd: wan (2197): udhcpc: lease of 10.0.3.15 obtained, lease time 86400
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1' is setting up now
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'wan' is now up
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: reading /tmp/resolv.conf.auto
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain test
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain onion
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain localhost
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain local
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain invalid
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain bind
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using local addresses only for domain lan
Sun Aug 23 20:06:22 2020 daemon.info dnsmasq[1597]: using nameserver 8.8.8.8#53
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' is enabled
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' is setting up now
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' is now up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1' is now up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: tunnel 'gre4-gre1' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Network alias 'gre4-gre1' link is up
Sun Aug 23 20:06:22 2020 daemon.notice netifd: Interface 'gre1_static' has link connectivity
Sun Aug 23 20:06:22 2020 kern.warn kernel: [    8.868121] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module.
Sun Aug 23 20:06:26 2020 daemon.notice openvpn(test_1)[2087]: Peer Connection Initiated with [AF_INET]192.168.56.2:1194
Sun Aug 23 20:06:27 2020 daemon.warn openvpn(test_1)[2087]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Aug 23 20:06:27 2020 daemon.notice openvpn(test_1)[2087]: Initialization Sequence Completed
Sun Aug 23 20:06:45 2020 daemon.info procd: Instance ipsec::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

still if i execute:


ip route del 10.20.0.1 dev eth1
ip route add 10.20.0.1 dev tun0

ip route del 10.20.0.2 dev eth1
ip route add 10.20.0.2 dev tun0

everithing go back to normal

ebalcsk · August 24, 2020, 5:12pm

it is needed to specify a tunlink.

config interface 'gre1'
        option ipaddr '10.20.0.2'
        option peeraddr '10.20.0.1'
        option proto 'gre'
        option tunlink 'mng'

Looks everithing Good

system · September 3, 2020, 5:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.