Re: [networking-discuss] ospf via ipsec tunnels

Kai Krebber Tue, 20 Apr 2010 10:39:52 -0700

OK - I read a bit into the quagga doc and started debugging.

According to the debug ospf packets hello, quagga is receiving OSPF
Hello Multicasts from the far side and it claims that it is sending out
Multicasts into the tunnel interface too:


2010/04/20 11:31:07 OSPF: Hello received from [192.168.100.1] via
[ip.tun0:192.168.100.2]
2010/04/20 11:31:07 OSPF:  src [192.168.100.1],
2010/04/20 11:31:07 OSPF:  dst [224.0.0.5]
2010/04/20 11:31:07 OSPF: Hello sent to [224.0.0.5] via
[ip.tun0:192.168.100.2].

 but snoop on the wan interface proves that no esp packets leave the
system. Only esp from the Juniper reach it (most likely containing the
hellos):

r...@kunde003-wan:~# snoop -rd wan3001 esp
Using device wan3001 (promiscuous mode)
82.100.214.138 -> 213.172.123.138 ESP SPI=0xc62ed979 Replay=309
82.100.214.138 -> 213.172.123.138 ESP SPI=0xc62ed979 Replay=310
82.100.214.138 -> 213.172.123.138 ESP SPI=0xc62ed979 Replay=311
82.100.214.138 -> 213.172.123.138 ESP SPI=0xc62ed979 Replay=312

Netstat claims that the tunnel ip.tun0 interface is part of the ospf
multicast group:
r...@kunde003-wan:/etc/quagga# netstat -gn
Group Memberships: IPv4
Interface Group                RefCnt
--------- -------------------- ------
lo0       224.0.0.1                 1
dmz103001 224.0.0.1                 1
ip.tun0   224.0.0.5                 1
ip.tun0   224.0.0.1                 1
wan3001   224.0.0.1                 1


Any Idea, why the Hellos don't get send thru the tunnel?
Do I need special ipsec policies / rules to cope with the Multicasts?

There is a route to the remote tunnel interface via our local tunnel
interface:

r...@kunde003-wan:~# netstat -nr

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use
Interface
-------------------- -------------------- ----- ----- ----------
---------
default              213.172.123.137      UG        1        432
82.100.231.232       82.100.231.233       U         1          0
dmz103001
103.0.0.33           82.100.231.233       UH        1          0 ip.tun1
192.168.100.1        192.168.100.2        UH        1          1 ip.tun0
213.172.123.136      213.172.123.138      U         1          2 wan3001
127.0.0.1            127.0.0.1            UH        1         14 lo0


Pinging the remote tunnel interface works fine:

r...@kunde003-wan:/etc/quagga# ping 192.168.100.1
192.168.100.1 is alive

And the ping actually got routed thru the tunnel:
r...@kunde003-wan:~# snoop -rd wan3001 esp
Using device wan3001 (promiscuous mode)
213.172.123.138 -> 82.100.214.138 ESP SPI=0x9824468b Replay=5
82.100.214.138 -> 213.172.123.138 ESP SPI=0xc62ed979 Replay=357

Cheers,
Kai


_______________________________________________
networking-discuss mailing list
[email protected]

Re: [networking-discuss] ospf via ipsec tunnels

Reply via email to