# Strange issue with the encapsulation of gre into ipip protocol (FreeBSD 8.2)



## dynax60 (Nov 17, 2011)

Good day!

I have the IPSec-connection with a some company:


```
X.X.X.X 	- my IPSec-peer (real ipaddress)
A.A.A.A 	- service for the mobile terminals (real ipaddress)
Y.Y.Y.Y 	- remote IPSec-peer (real ipaddress)
Z.Z.Z.Z 	- remote GRE gateway (real ipaddress)
10.0.0.0/24 	- remote the mobile terminal's network beyond the gre on Z.Z.Z.Z.
```
Objective: The mobile terminals from network 10.0.0.0/24 must have an access to A.A.A.A via my router. Remote private network is beyond the GRE-tunnel (without private subnet /30, they do route via gre interface directly), GRE tunnel must be accessed via IPSec on Y.Y.Y.Y. So the scheme: tcp->gre->ipip->esp. I have no idea why there's a double-encapsulation - this is a requirements of the remote side.


```
/etc/rc.conf:

gif_interfaces="gif0"
static_routes="vpn0"
cloned_interfaces="gre0"
gifconfig_gif0="X.X.X.X Y.Y.Y.Y"
ifconfig_gre0="tunnel X.X.X.X Z.Z.Z.Z"
route_vpn0="10.0.0.0/24 -interface gre0"
```


```
setkey.conf:

flush;
spdflush;

spdadd X.X.X.X/32[any] Z.Z.Z.Z/32[any] 47 -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/unique;
spdadd Z.Z.Z.Z/32[any] X.X.X.X/32[any] 47 -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/unique;
```


```
racoon.conf:

[I]<snipped>[/I]
remote Y.Y.Y.Y [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        nonce_size      16;
        initial_contact on;
        support_proxy   on;
        proposal_check  obey;

        proposal {
                encryption_algorithm    3des;
                hash_algorithm          sha1;
                authentication_method   pre_shared_key;
                lifetime time           600 sec;
                dh_group                2;
        }
}

sainfo address X.X.X.X/32 47 address Z.Z.Z.Z/32 47
{
        pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 sec;
}
```


```
# ifconfig gre0
gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> metric 0 mtu 1476
        tunnel inet X.X.X.X --> Y.Y.Y.Y
# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
        tunnel inet X.X.X.X --> Z.Z.Z.Z
        options=1<ACCEPT_REV_ETHIP_VER>
# netstat -rn | grep gre
10.0.0.0/24  gre0               US          0     4191   gre0
```

So, it's like a terminals are trying to work, but I noticed strange traffic on enc0 interface:


```
10:27:58.028806 (authentic,confidential): SPI 0x0d640bcb: IP Y.Y.Y.Y > X.X.X.X: IP Z.Z.Z.Z > X.X.X.X:
 GREv0, length 48: IP 10.0.0.1.7337 > A.A.A.A.10008: Flags [S], seq 14633856, win 32120, options [[|tcp]
 (ipip-proto-4)
10:27:58.029544 (authentic,confidential): SPI 0x9e06a435: IP X.X.X.X > Z.Z.Z.Z: GREv0, length 48: IP
 A.A.A.A.10008 > 10.0.0.1.7337: Flags [S.], seq 1966363414, ack 14633857, win 8192, options [mss 1460],
 length 0
10:27:58.029552 (authentic,confidential): SPI 0x9e06a435: IP X.X.X.X > Y.Y.Y.Y: IP X.X.X.X > Z.Z.Z.Z:
 GREv0, length 48: IP A.A.A.A.10008 > 10.0.0.1.7337: Flags [S.], seq 1966363414, ack 14633857, win 8192,
 options [[|tcp] (ipip-proto-4)
10:27:58.628570 (authentic,confidential): SPI 0x0d640bcb: IP Y.Y.Y.Y > X.X.X.X: IP Z.Z.Z.Z > X.X.X.X:
 GREv0, length 44: IP 10.0.0.1.7337 > A.A.A.A.10008: Flags [.], ack 1, win 32120, length 0 (ipip-proto-4)
10:28:00.829033 (authentic,confidential): SPI 0x0d640bcb: IP Y.Y.Y.Y > X.X.X.X: IP Z.Z.Z.Z > X.X.X.X:
 GREv0, length 137: IP 10.0.0.1.7337 > A.A.A.A.9990: Flags [FSRP.W], seq 667402656:667402725, ack
 2153916852, win 64615, options [[|tcp] (ipip-proto-4)
10:28:08.622620 (authentic,confidential): SPI 0x9e06a435: IP X.X.X.X > Z.Z.Z.Z: GREv0, length 44: IP
 A.A.A.A.10008 > 10.0.0.1.7337: Flags [F.], seq 1, ack 1, win 64240, length 0
10:28:08.622632 (authentic,confidential): SPI 0x9e06a435: IP X.X.X.X > Y.Y.Y.Y: IP X.X.X.X > Z.Z.Z.Z:
 GREv0, length 44: IP A.A.A.A.10008 > 10.0.0.1.7337: Flags [F.], seq 1, ack 1, win 64240, length 0
 (ipip-proto-4)
10:28:09.808942 (authentic,confidential): SPI 0x0d640bcb: IP Y.Y.Y.Y > X.X.X.X: IP Z.Z.Z.Z > X.X.X.X:
 GREv0, length 44: IP 10.0.0.1.7337 > A.A.A.A.10008: Flags [.], ack 2, win 32120, length 0 (ipip-proto-4)
10:28:10.449265 (authentic,confidential): SPI 0x0d640bcb: IP Y.Y.Y.Y > X.X.X.X: IP Z.Z.Z.Z > X.X.X.X:
 GREv0, length 137: IP 10.0.0.1.7337 > A.A.A.A.10008: Flags [P.], ack 1, win 32120, length 93
 (ipip-proto-4)
10:28:10.449672 (authentic,confidential): SPI 0x9e06a435: IP X.X.X.X > Z.Z.Z.Z: GREv0, length 44: IP
 A.A.A.A.10008 > 10.0.0.1.7337: Flags [R.], seq 2, ack 94, win 0, length 0
10:28:10.449679 (authentic,confidential): SPI 0x9e06a435: IP X.X.X.X > Y.Y.Y.Y: IP X.X.X.X > Z.Z.Z.Z:
 GREv0, length 44: IP A.A.A.A.10008 > 10.0.0.1.7337: Flags [R.], seq 2, ack 94, win 0, length 0
 (ipip-proto-4)
```

It is not clear to me why the first gre packet response from A.A.A.A is not encapsulated into ipip protocol and sent directly to Z.Z.Z.Z (via esp protocol), and the next gre packet with the same ack-id normally encapsulated into IPIP for sending it to the peer Y.Y.Y.Y? Where I'm wrong? FreeBSD 8.2.


----------

