GRE Key as Policy Selector

[andrew-hoff]

Hi all. I have a setup where I would like to have multiple peers behind the same NAT communicate with a cloud node. This means that from the cloud node's perspective, the nodes behind the NAT will have the same local/remote pair. I would like to use a route-based VPN to connect as well. VTI does not seem to be a viable option because netlink rejects two VTI interfaces with the same local/remote pair, even if they have different marks. XFRM is also not an option for other reasons not worth going into here.

My next thought is to use GRE. After some initial testing, I found that you can create two GRE interfaces with the same local/remote pair so long as the keys are distinct. However, given that both interfaces have the same local/remote pair, my policy will need to use the key to identify the appropriate security association for packets routed through each interface.

Ideally, I can use strongswan to configure the UPSPEC field with the appropriate GRE key, as specified here. However, so far I don't see a good way to do that in the documentation. My backup plan is to just create an iptables rule to mark packets that go through each interface with the corresponding GRE key and use mark_in/mark_out on the SA. Is that my best option, or is there a better way to do this in strongswan?

[Thermi]

remote_ts and local_ts = %dynamic[gre/x]

[andrew-hoff]

Ah, you can use the '/x' as the GRE rather than the port?

[andrew-hoff]

Sure, but doesn't that refer to the port, not the key? My biggest hunch for this was that the field specified is limited to two bytes as can be seen here. GRE keys can be up to 4 bytes.

[Thermi]

Yes, you're right in that regard.

[Thermi]

WELL, I just tested it and it works. Kind of.

ip x p:

src 192.168.178.20/32 dst 192.0.0.5/32 proto gre key 22151168 
        dir out priority 366912 ptype main 
        tmpl src 192.168.178.20 dst 192.0.0.5
                proto esp reqid 1 mode tunnel
src 192.0.0.5/32 dst 192.168.178.20/32 proto gre key 338 
        dir fwd priority 366912 ptype main 
        tmpl src 192.0.0.5 dst 192.168.178.20
                proto esp reqid 1 mode tunnel
src 192.0.0.5/32 dst 192.168.178.20/32 proto gre key 338 
        dir in priority 366912 ptype main 
        tmpl src 192.0.0.5 dst 192.168.178.20
                proto esp reqid 1 mode tunnel
src 192.168.178.20/32 dst 192.0.0.5/32 proto gre key 8060928 
        dir out priority 366912 ptype main 
        tmpl src 192.168.178.20 dst 192.0.0.5
                proto esp reqid 1 mode tunnel
src 192.0.0.5/32 dst 192.168.178.20/32 proto gre key 123 
        dir fwd priority 366912 ptype main 
        tmpl src 192.0.0.5 dst 192.168.178.20
                proto esp reqid 1 mode tunnel
src 192.0.0.5/32 dst 192.168.178.20/32 proto gre key 123 
        dir in priority 366912 ptype main 
        tmpl src 192.0.0.5 dst 192.168.178.20
                proto esp reqid 1 mode tunnel

That happens if you install a policy with the config I pasted earlier.

[andrew-hoff]

Got it working! Thank you @Thermi !

[Thermi]

yw. :)