[uanog] OSPF over GRE over IPSec

Volodymyr Litovka doka at funlab.cc
Fri Mar 11 20:58:42 EET 2022 

You probably have "ttl inherit" set on the tunnel (it is the default).
Since the TTL on the OSPF multicast packets is 1, the tunnel packets
will not arrive at the destination.  Try:
"ip link set gre1 type gre ttl 64"

On 11.03.2022 16:48, Volodymyr Litovka wrote:
>
> Привіт,
>
> допоможіть, будь ласка, з наступною конфігурацією.
>
> Є GRE over IPSec в транспортному режимі між лінухом (ubuntu 20.04) та 
> cisco (virtual XE v17.07.01). Пінги ходять - тобто власне зв'язок 
> встановлюється,
> IPSec policies are ok, але OSPF (FRR 8.1) не піднімається.
>
> tcpdump на боці лінукса показує відправку hello в цей інтерфейс, але 
> Cisco не бачить з тунелю нічого:
>
> # tcpdump -i gre1 -v
> [ ... ]
> 15:34:49.132222 IP (tos 0xc0, ttl 1, id 15017, offset 0, flags [none], proto OSPF (89), length 68)
>      my_linux > ospf-all.mcast.net: OSPFv2, Hello, length 48
> 	Router-ID x.x.x.x, Backbone Area, Authentication Type: none (0)
> 	Options [External]
> 	  Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.252, Priority 1
> 	  Neighbor List:
> 	    100.100.8.1
>
> Cisco:
>
> Mar 11 15:31:33.522: OSPF-1 HELLO Tu8: Send hello to 224.0.0.5 area 0 from 100.99.0.65
> Mar 11 15:31:42.586: OSPF-1 HELLO Tu8: Send hello to 224.0.0.5 area 0 from 100.99.0.65
> Mar 11 15:31:51.641: OSPF-1 HELLO Tu8: Send hello to 224.0.0.5 area 0 from 100.99.0.65
>
> Мені йдеться, що проблема на боці лінукса, але я не можу зрозуміти, що 
> я роблю не так. Хтось має досвід запуску такої конфігурації та може 
> щось порадити?
>
> Конфігурація linux (mtu узгоджені, multicast встановлено):
>
> 6: gre1 at NONE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000
>      link/gre x.x.x.x peer x.x.x.y
>      inet 100.99.0.66/30 brd 100.99.0.67 scope global gre1
>         valid_lft forever preferred_lft forever
>
> interface gre1
>   ip ospf cost 5
>   ip ospf mtu-ignore
>
> # sh ip ospf interface gre1
> gre1 is up
>    ifindex 6, MTU 1400 bytes, BW 0 Mbit <UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>
>    Internet Address 100.99.0.66/30, Broadcast 100.99.0.67, Area 0.0.0.0
>    MTU mismatch detection: disabled
>    Router ID x.x.x.x, Network Type POINTOPOINT, Cost: 5
>    Transmit Delay is 1 sec, State Point-To-Point, Priority 1
>    No backup designated router on this network
>    Multicast group memberships: OSPFAllRouters
>    Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
>      Hello due in 8.701s
>    Neighbor Count is 1, Adjacent neighbor count is 0
>
> конфігурація cisco:
>
> interface Tunnel8
>   description HZF
>   ip address 100.99.0.65 255.255.255.252
>   ip mtu 1400
>   ip ospf network point-to-point
>   ip ospf cost 5
>   tunnel source GigabitEthernet1
>   tunnel destination x.x.x.x
>
> Tunnel8 is up, line protocol is up
>    Internet Address 100.99.0.65/30, Interface ID 20, Area 0
>    Attached via Network Statement
>    Process ID 1, Router ID 100.100.8.1, Network Type POINT_TO_POINT, Cost: 5
>    Topology-MTID    Cost    Disabled    Shutdown      Topology Name
>          0           5         no          no            Base
>    Transmit Delay is 1 sec, State POINT_TO_POINT
>    Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
>      oob-resync timeout 40
>      Hello due in 00:00:04
>    Supports Link-local Signaling (LLS)
>    Cisco NSF helper support enabled
>    IETF NSF helper support enabled
>    Can not be protected by per-prefix Loop-Free FastReroute
>    Can be used for per-prefix Loop-Free FastReroute repair paths
>    Not Protected by per-prefix TI-LFA
>    Index 1/8/8, flood queue length 0
>    Next 0x0(0)/0x0(0)/0x0(0)
>    Last flood scan length is 1, maximum is 38
>    Last flood scan time is 0 msec, maximum is 1 msec
>    Neighbor Count is 0, Adjacent neighbor count is 0
>    Suppress hello for 0 neighbor(s)
>
> на боці FRR я бачу осьо таке:
>
> # sh ip ospf neigh
>
> Neighbor ID     Pri State           Dead Time Address         Interface                        RXmtL RqstL DBsmL
> 100.100.8.1       1 Init/DROther      37.960s 100.99.0.65     gre1:100.99.0.66                     0     0     0
>
> на боці Cisco - нічого, бо вона не бачить Hello від Лінукса.
>
> Дякую за будь-які поради.
>
> -- 
> Volodymyr Litovka
>    "Vision without Execution is Hallucination." -- Thomas Edison

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.uanog.kiev.ua/pipermail/uanog/attachments/20220311/6abdfb3b/attachment.html>

More information about the uanog mailing list