[FROG] OSPF over GRE over IPSec
Volodymyr Litovka
doka at funlab.cc
Fri Mar 11 16:46:32 UTC 2022
Hi colleagues,
can anybody help me with an issue in the following configuration.
There is GRE over IPSec in transport mode between Linux (Ubuntu 20.04)
and two other boxes - Cisco (virtual XE v17.07.01) and Mikrotik (CHR
v6). Pings are there, so IPSec policies, addresses, connectivity is ok,
but OSPF (I'm using FRR 8.1) do not work.
On the linux side, tcpdump shows that it sends hellos in this interface,
but both Cisco and CHR see nothing:
# tcpdump -i gre1 -v
[ ... ]
15:34:49.132222 IP (tos 0xc0, ttl 1, id 15017, offset 0, flags [none], proto OSPF (89), length 68)
my_linux > ospf-all.mcast.net: OSPFv2, Hello, length 48
Router-ID x.x.x.x, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.252, Priority 1
Neighbor List:
100.100.8.1
Cisco:
Mar 11 15:31:33.522: OSPF-1 HELLO Tu8: Send hello to 224.0.0.5 area 0 from 100.99.0.65
Mar 11 15:31:42.586: OSPF-1 HELLO Tu8: Send hello to 224.0.0.5 area 0 from 100.99.0.65
Mar 11 15:31:51.641: OSPF-1 HELLO Tu8: Send hello to 224.0.0.5 area 0 from 100.99.0.65
Mikrotik (using packet sniffer) also see nothing on input.
Definitely, the issue is on Linux side but I can't realize, where exactly.
Linux side (mtu is same, multicast switched on):
6: gre1 at NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre x.x.x.x peer x.x.x.y
inet 100.99.0.66/30 brd 100.99.0.67 scope global gre1
valid_lft forever preferred_lft forever
vtysh#sh run
[ ... ]
interface gre1
ip ospf cost 5
ip ospf mtu-ignore
vtysh#sh ip ospf interface gre1
gre1 is up
ifindex 6, MTU 1400 bytes, BW 0 Mbit <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>
Internet Address 100.99.0.66/30, Broadcast 100.99.0.67, Area 0.0.0.0
MTU mismatch detection: disabled
Router ID x.x.x.x, Network Type POINTOPOINT, Cost: 5
Transmit Delay is 1 sec, State Point-To-Point, Priority 1
No backup designated router on this network
Multicast group memberships: OSPFAllRouters
Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
Hello due in 8.701s
Neighbor Count is 1, Adjacent neighbor count is 0
vtysh#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
100.100.8.1 1 Init/DROther 37.960s 100.99.0.65 gre1:100.99.0.66 0 0 0
host# ip maddress
[ ... ]
6: gre1
inet 224.0.0.5
inet 224.0.0.1
What I miss in the Linux configuration?
Cisco configuration is for reference:
interface Tunnel8
description HZF
ip address 100.99.0.65 255.255.255.252
ip mtu 1400
ip ospf network point-to-point
ip ospf cost 5
tunnel source GigabitEthernet1
tunnel destination x.x.x.x
Tunnel8 is up, line protocol is up
Internet Address 100.99.0.65/30, Interface ID 20, Area 0
Attached via Network Statement
Process ID 1, Router ID 100.100.8.1, Network Type POINT_TO_POINT, Cost: 5
Topology-MTID Cost Disabled Shutdown Topology Name
0 5 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can not be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Not Protected by per-prefix TI-LFA
Index 1/8/8, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 38
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Thank you for any recommendations.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20220311/762e1d77/attachment.htm>
More information about the frog
mailing list