Multicast via GRE, Unicast via plain IPSec?

Hi,

I currently running a plain IPSec site-to-site connection between two RB750Gr3 (hEX) with the following setup:

On both sites I have provider routers in place (DHCP server & internet gateway) and behind that running the hEX (in bridge mode) acting as VPN gateways with plain IPSec (based on policies only). Both provider routers have static routes to the remote net with the hEX as the gateway. This setup is running fine and very fast.

On top of that I would like to route multicast traffic (mainly for SSDP) in both direction. On both ends I have services that should be discoverable from both sites.

I already read the following forum posts & docs:

• Working DLNA routing example (basic)
• DLNA over GRE ?
• Multicast over VPN for site-to-site
• Manual:Multicast detailed example

So my plan is to put a GRE tunnel on top of my IPSec in order to run PIM for multicast. However I would prefer to still route unicast via the plain IPSec due to performance reasons (plain IPSec seemed to be the best option based on my earlier tests).

Is this possible or am I forced to route also unicast over the GRE tunnel? None of the previous posts mention such a multicast/unicast split routing…

I tried to configure PIM, however I did not succeed. I can’t get multicast traffic routed between both sites, I’m using iperf and the Developer Tools for UPnP.

The GRE tunnel is the vpn-tunnel interface with a /30 network. Site 1 has IP 192.168.255.1 and site 2 192.168.255.2. GRE tunnel is up and I can ping the other end from both sites.

Site 1 PIM configuration:

/routing pim> interface print
Flags: X - disabled, I - inactive, D - dynamic, R - designated-router, v1 - IGMPv1, v2 - IGMPv2, v3 - IGMPv3 
 #      INTERFACE                                                 PROTOCOLS                                               
 0  Rv3 bridge                                                    pim                                                     
                                                                  igmp                                                    
 1   v3 vpn-tunnel                                                pim                                                     
                                                                  igmp                                                    
 2 DR   register                                                  pim                                                     

/routing pim> rp print       
Flags: D - dynamic, X - disabled 
 #    ADDRESS         TYPE        PRIORITY
 0    192.168.255.1   static           192

/routing pim> mrib print      
Flags: X - disabled, I - inactive, D - dynamic 
 #   DESTINATION        GATEWAY         METRIC INTERFACE                                                                                                  
 0   192.168.178.0/24   192.168.255.2        1 vpn-tunnel                                                                                                 
 1 D 0.0.0.0/0          192.168.1.1          1 bridge                                                                                                     
 2 D 192.168.1.0/24     0.0.0.0              0 bridge                                                                                                     
 3 D 192.168.255.0/30   0.0.0.0              0 vpn-tunnel

Joins:

The join state is always unkown.

MFC:

I’m missing the vpn-tunnel here…

Site 2 PIM configuration:

        /routing pim> interface print
Flags: X - disabled, I - inactive, D - dynamic, R - designated-router, v1 - IGMPv1, v2 - IGMPv2, v3 - IGMPv3 
 #      INTERFACE                                                                     PROTOCOLS                                                                    
 0  Rv3 vpn-tunnel                                                                    pim                                                                          
                                                                                      igmp                                                                         
 1  Rv3 bridge                                                                        pim                                                                          
                                                                                      igmp                                                                         
 2 DR   register                                                                      pim                                                                          

/routing pim> rp print
Flags: D - dynamic, X - disabled 
 #    ADDRESS         TYPE        PRIORITY
 0    192.168.255.1   static           192

/routing pim> mrib print
Flags: X - disabled, I - inactive, D - dynamic 
 #   DESTINATION        GATEWAY         METRIC INTERFACE                                                                                                           
 0   192.168.1.0/24     192.168.255.1        1 vpn-tunnel                                                                                                          
 1 D 0.0.0.0/0          192.168.178.1        1 bridge                                                                                                              
 2 D 192.168.178.0/24   0.0.0.0              0 bridge                                                                                                              
 3 D 192.168.255.0/30   0.0.0.0              0 vpn-tunnel

Joins:

MFC:

For my iperf tests I used 224.0.55.55.

Any idea what might be missing?