I need to set up an IPSEC tunnel between two systems using `ip xfrm` commands, suitable for running ISIS over. Thanks to examples on the web, including one from this site, I am able to create either an XFRM or VTI link that works for everything except, of course, running ISIS (because ESP carries only IP, and ISIS Hello packets are LLC/MAC.)
I also am able to set up a GRETAP tunnel between the systems, and ISIS works over that. So I'd like to (if possible) add ESP to the GRETAP tunnel.
Ignoring details on how the GRETAP tunnel interface (tun1) is created, I am trying to add IPSEC using the following, which seems to have no effect (`ip xfrm monitor all` shows nothing.)
Code:
GW=1 # (or 2, for the other system)
SPI=0x1234
NAME=tun1
GW1_PUBIP=192.168.16.5 # `ifconfig eth0 | grep inet | tr -s ' ' | cut -d' ' -f3`
GW2_PUBIP=192.168.32.2
PRIVNET=192.168.12
if [[ $GW == 1 ]]; then
SRC=$GW1_PUBIP DST=$GW2_PUBIP LOCAL=$PRIVNET.2 REMOTE=$PRIVNET.3
else
SRC=$GW2_PUBIP DST=$GW1_PUBIP LOCAL=$PRIVNET.3 REMOTE=$PRIVNET.2
fi
KEY1=0x0123456789ABCDEF0123456789ABCDEF
KEY2=0xFEDCBA9876543210FEDCBA9876543210
ID=0xfeed
ip xfrm state flush
ip xfrm policy flush
ip xfrm state add src $SRC dst $DST proto esp spi $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2 sel dev $NAME
ip xfrm state add src $DST dst $SRC proto esp spi $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2 sel dev $NAME
ip xfrm policy add dev $NAME dir out tmpl src $SRC dst $DST proto esp spi $ID mode tunnel mark 0x1234
ip xfrm policy add dev $NAME dir in tmpl src $DST dst $SRC proto esp spi $ID mode tunnel mark 0x1234
tcpdump -nevi eth0 esp &
ping -c 3 $REMOTE
Any pointers on where I'm going wrong?
Thanks!