GRE & Policy Routing
- From: "Zgrp" <zgrp_zgrp@xxxxxxxxxxxx>
- Date: 28 Jul 2005 08:46:49 -0700
Hi,
First of all, sorry for inconvenience! I'm configuring
(testing) the GRE with Cisco and Linux and I found
some posts in archive/google but I failed, so I'm asking help
for you, since I'm searching by a long time and no solution. :(
If some of you could help me. :)
For my test I'm using a cisco router with the
following:
eth0 - 200.210.11.130
tunnel - 1.1.1.1
---------------------------------------------------
Linux:
eth0 - 200.210.12.9
tunnel - 1.1.1.2
I want to create a GRE tunnel from the Cisco router to
my Linux box, that are running a NIDS (snort). The
idea is:
| Internet |
|
|
|
| Cisco | --GRE--> |Linux-with-Snort-to-Analyze-The-Traffic| ---|
| |
| |
|____________________GRE_____________________________________|
Well, the GRE from Cisco to Linux I think I created
correct (at last, it appear to work).
Cisco:
conf t
int tunnel 0
ip address 1.1.1.1 255.255.255.0
tunnel source eth0
tunnel dest 200.210.12.9
tunnel mode gre ip
exit
Linux (all rules in firewall allow CISCO):
modprobe ip_gre.o
iptunnel add mynet mode grc remote 200.210.11.130
local 200.210.12.9 ttl 255
ip addr add 1.1.1.2/24 dev mynet
ifconfig mynet up
route add -net 1.1.1.0 netmask 255.255.255.0 dev mynet
>>From here, I already can Ping the Router via 1.1.1.1
:)
So, I created the policy:
Cisco:
conf t
access-list 120 permit ip any any
route-map teste
match ip address 120
set ip next-hop 1.1.1.2
exit
int eth0
ip policy route-map teste
exit
Linux:
ip ru add from 1.1.1.1 lookup 4
ip ro add 0.0.0.0/0 via 1.1.1.2 table 4
Well, If I run a packet analyzer like Ethereal, I can
see that the traffic from GRE is arriving in my Linux
box:
Frame 1 (84 bytes on wire, 84 bytes captured)
Arrival Time: Jul 26, 2005 21:45:10.079848000
Time delta from previous packet: 0.000000000
seconds
Time since reference or first frame: 0.000000000
seconds
Frame Number: 1
Packet Length: 84 bytes
Capture Length: 84 bytes
Protocols in frame: sll:ip:udp:dns
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 778
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src Addr: 200.210.11.130
(200.210.11.130), Dst Addr: 200.24
6.179.124 (200.246.179.124)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00:
Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint:
Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 68
Identification: 0x1d22 (7458)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: UDP (0x11)
Header checksum: 0x5b95 (correct)
Source: 200.210.11.130 (200.210.11.130)
Destination: 200.246.179.124 (200.246.179.124)
User Datagram Protocol, Src Port: 32769 (32769), Dst
Port: domain (53)
Source port: 32769 (32769)
Destination port: domain (53)
Length: 48
Checksum: 0xc6a6 (correct)
Domain Name System (query)
Transaction ID: 0xe6d7
Flags: 0x0010 (Standard query)
0... .... .... .... = Response: Message is a
query
.000 0... .... .... = Opcode: Standard query
(0)
.... ..0. .... .... = Truncated: Message is
not truncated
.... ...0 .... .... = Recursion desired: Don't
do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...1 .... = Non-authenticated data
OK: Non-authenticated data
is acceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
anba.com.br: type ANY, class IN
Name: anba.com.br
Type: ANY (Request for all records)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (EDNS0 option)
UDP payload size: 2048
Higher bits in extended RCODE: 0x0
EDNS0 version: 0
Z: 0x0
Data length: 0
0000 00 00 03 0a 00 00 00 00 00 00 00 00 00 00 08 00
................
0010 45 00 00 44 1d 22 40 00 3f 11 5b 95 c8 fc 7d 82
E..D."@.?.[...}.
0020 c8 f6 b3 7c 80 01 00 35 00 30 c6 a6 e6 d7 00 10
...|...5.0......
0030 00 01 00 00 00 00 00 01 04 61 6e 62 61 03 63 6f
.........anba.co
0040 6d 02 62 72 00 00 ff 00 01 00 00 29 08 00 00 00
m.br.......)....
0050 00 00 00 00
....
Well, here I have some doubts:
1 - I notted that Ethereal detected protocol as
"Protocols in frame: SSL:ip:udp:dns", shouldn't be it
GRE ? The source is "Source: <MISSING>", is it normal
(I'm not familiar with this Linux cooked capture) ?
2 - This configuration redirect from CISCO to Linux
inbound, outbound or both ? Can I make it redirect
both ? :)
3 - How GRE know it should be deencapsulated and sent
to internet, or simple re-encapsulated and send to
other GRE point ? Only via the rules ? Or it set any
special bit in the package ?
That't only curious, the problem, is that the traffic
ISN'T backing to Cisco. For example, this DNS query
(that comming from CISCO Internal Network) arrive to
my linux box, but doesn't go to Internet... :(
I were reading and saw that in Cisco router has a
"option" called reflect, that I THINK should do what I
need (but in Linux):
conf t
access-list 100 permit ip any any
route-map reflect
match ip address 100
set ip next-hop Original-IP-To-Back
exit
int tunnel0
ip policy route-map reflect
exit
Well, I don't have other CISCO to test it, and I want
to make it over Linux. How can I reflect the traffic
(Send the traffic back to Cisco router) from Linux ?
ps: Well, if exist some way to copy all traffic of a cisco to another
machine in the Internet can solve. Something like the Traffic Mirror in
the Cisco switch. Someone aware ?
Thks,
Regards,
.
- Prev by Date: vpn/ split tunnel question
- Next by Date: Fires and SmartNet contracts
- Previous by thread: vpn/ split tunnel question
- Next by thread: Fires and SmartNet contracts
- Index(es):
Relevant Pages
|
