Knowledge Search


×
 

[ScreenOS] How to determine the packet length after GRE over IPsec encapsulation

  [KB25934] Show Article Properties


Summary:

This article provides information on how to determine the packet length, after GRE over IPsec encapsulation.

Symptoms:

How to determine packet length, after GRE over IPsec encapsulation.

Solution:

The packet format, as per RFC 2406, is as follows:

The packet length after GRE over IPsec encapsulation should be calculated as:

Outer-IP-length = Outer-IP-header + SPI + Sequence + ESP + Authentication 
                  20                4     4        ?     + 20

ESP = IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header + Padding
      24            + ?        + 1              + 1           + ?

The following example is of debug flow basic:

Outer-IP-length = Outer-IP-header + SPI + Sequence + ESP + Authentication
160             = 20                4     4          112 + 20            

ESP = IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header + Padding
112 = 24            + 84       + 1              + 1           + 2

The formula to calculate the ESP length is as follows:

ESP = [(IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header)/8] * 8 + [((IP-GRE-header + Inner-IP + ESP-Pad-Length + Next-Header)%8 + 7)/8] * 8
112 = [(24            + 84       + 1              + 1          )/8] * 8 + [((24            + 84       + 1              + 1          )%8 + 7)/8] * 8
****** 153878.0: packet received [84]****** >>> Inner-IP
ipid = 1937(0791), @2d5db112
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0.131:192.168.1.1/147->192.168.2.1/5483,1(8/0)
no session found
flow_first_sanity_check: in , out
chose interface ethernet0/0.131 as incoming nat if.
flow_first_routing: in , out
search route to (ethernet0/0.131, 192.168.1.1->192.168.2.1) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 20.route 192.168.2.1->192.168.2.1, to tunnel.101
routed (x_dst_ip 192.168.2.1) from ethernet0/0.131 (ethernet0/0.131 in 0) to tunnel.101
policy search from zone 105-> zone 1
policy_flow_search policy search nat_crt from zone 105-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.1, port 30566, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/2/0x1
Permitted by policy 3
No src xlate choose interface tunnel.101 as outgoing phy if
no loop on ifp tunnel.101.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in , out
existing vector list 5-1328c7fc.
Session (id:252951) created for first pak 5
flow_first_install_session======>
handle cleartext reverse route
search route to (tunnel.101, 192.168.2.1->192.168.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0.131
[ Dest] 18.route 192.168.1.1->192.168.1.1, to ethernet0/0.131
route to 192.168.1.1
arp entry found for 192.168.1.1
ifp2 ethernet0/0.131, out_ifp ethernet0/0.131, flag 00800805, tunnel ffffffff, rc 1
flow got session.
flow session id 252951
flow_main_body_vector in ifp ethernet0/0.131 out ifp tunnel.101
flow vector index 0x5, vector addr 0x1967930, orig vector 0x1967930
post addr xlation: 192.168.1.1->192.168.2.1.
going into tunnel a0288.
flow_encrypt: enc vector=4a7f20.
generic tunnel encap tunnel 0x000a0288
GRE packet is encaped
packet encapsulated, type=generic, len=108 >>> IP-GRE-header + Inner-IP
ipid = 14829(39ed), @2d5db0fa
going into tunnel 40000001.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000001
(vn2) doing ESP encryption and size =112 >>> ESP
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
SA lifesize_cur left 4675072
ipsec encrypt done
put packet(9123fd0) into flush queue.
remove packet(9123fd0) out from flush queue.

**** jump to packet:10.1.1.1->10.1.1.2
packet encapsulated, type=ipsec, len=160 >>> Outer-IP-length
ipid = 14830(39ee), @2d5db0d6
out encryption tunnel 40000001 gw:10.1.1.2
no more encapping needed
send out through normal path.
flow_ip_send: 39ee:10.1.1.1->10.1.1.2,50 => ethernet0/1.117(160) flag 0x20, vlan 117
mac 0017cb46ff85 in session
packet send out to 0017cb46ff85 through ethernet0/1.117
**** pak processing end.
Modification History:

2019-09-10: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links: