Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to determine the packet length after GRE over IPsec encapsulation

0

0

Article ID: KB25934 KB Last Updated: 11 Sep 2019Version: 2.0
Summary:

This article provides information on how to determine the packet length, after GRE over IPsec encapsulation.

Symptoms:

How to determine packet length, after GRE over IPsec encapsulation.

Solution:

The packet format, as per RFC 2406, is as follows:

The packet length after GRE over IPsec encapsulation should be calculated as:

Outer-IP-length = Outer-IP-header + SPI + Sequence + ESP + Authentication 
                  20                4     4        ?     + 20

ESP = IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header + Padding
      24            + ?        + 1              + 1           + ?

The following example is of debug flow basic:

Outer-IP-length = Outer-IP-header + SPI + Sequence + ESP + Authentication
160             = 20                4     4          112 + 20            

ESP = IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header + Padding
112 = 24            + 84       + 1              + 1           + 2

The formula to calculate the ESP length is as follows:

ESP = [(IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header)/8] * 8 + [((IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header)%8 + 7)/8] * 8
112 = [(24            + 84       + 1              + 1          )/8] * 8 + [((24            + 84       + 1              + 1          )%8 + 7)/8] * 8
****** 153878.0: packet received [84]****** >>> Inner-IP
ipid = 1937(0791), @2d5db112
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0.131:192.168.1.1/147->192.168.2.1/5483,1(8/0)
no session found
flow_first_sanity_check: in , out
chose interface ethernet0/0.131 as incoming nat if.
flow_first_routing: in , out
search route to (ethernet0/0.131, 192.168.1.1->192.168.2.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 20.route 192.168.2.1->192.168.2.1, to tunnel.101
routed (x_dst_ip 192.168.2.1) from ethernet0/0.131 (ethernet0/0.131 in 0) to tunnel.101
policy search from zone 105-> zone 1
policy_flow_search policy search nat_crt from zone 105-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.1, port 30566, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/2/0x1
Permitted by policy 3
No src xlate choose interface tunnel.101 as outgoing phy if
no loop on ifp tunnel.101.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in , out
existing vector list 5-1328c7fc.
Session (id:252951) created for first pak 5
flow_first_install_session======>
handle cleartext reverse route
search route to (tunnel.101, 192.168.2.1->192.168.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0.131
[ Dest] 18.route 192.168.1.1->192.168.1.1, to ethernet0/0.131
route to 192.168.1.1
arp entry found for 192.168.1.1
ifp2 ethernet0/0.131, out_ifp ethernet0/0.131, flag 00800805, tunnel ffffffff, rc 1
flow got session.
flow session id 252951
flow_main_body_vector in ifp ethernet0/0.131 out ifp tunnel.101
flow vector index 0x5, vector addr 0x1967930, orig vector 0x1967930
post addr xlation: 192.168.1.1->192.168.2.1.
going into tunnel a0288.
flow_encrypt: enc vector=4a7f20.
generic tunnel encap tunnel 0x000a0288
GRE packet is encaped
packet encapsulated, type=generic, len=108 >>> IP-GRE-header + Inner-IP
ipid = 14829(39ed), @2d5db0fa
going into tunnel 40000001.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000001
(vn2) doing ESP encryption and size =112 >>> ESP
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
SA lifesize_cur left 4675072
ipsec encrypt done
put packet(9123fd0) into flush queue.
remove packet(9123fd0) out from flush queue.

**** jump to packet:10.1.1.1->10.1.1.2
packet encapsulated, type=ipsec, len=160 >>> Outer-IP-length
ipid = 14830(39ee), @2d5db0d6
out encryption tunnel 40000001 gw:10.1.1.2
no more encapping needed
send out through normal path.
flow_ip_send: 39ee:10.1.1.1->10.1.1.2,50 => ethernet0/1.117(160) flag 0x20, vlan 117
mac 0017cb46ff85 in session
packet send out to 0017cb46ff85 through ethernet0/1.117
**** pak processing end.
Modification History:

2019-09-10: Article reviewed for accuracy. No changes made. Article is correct and complete.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search