GRE tunnel with hostname instead of IP

georgeman · Sep 13, 2016, 9:39 PM

Hi folks,

I need to setup a GRE tunnel (unencrypted) against an endpoint with dynamic IP address. Is it possible to specify a hostname instead of an IP address? I would like it to behave like the IPsec tunnels do, refreshing the IP address on filter reloads (I will use some dynamic DNS on the remote endpoint).

Is this a limitation of the web interface or something more complicated?

Thanks a lot.

georgeman · Sep 15, 2016, 9:22 PM

Tinkering a little with the web interface field validation, I managed to get it accept a hostname, it resolves properly and the GRE interface gets configured with the correct IP address.

The only part missing would be to run interfaces_gre_configure(); when the remote IP changes. Can anyone point me in the right direction??

If I manage to get it to work, I'll submit the patches so it can be included on a future release.

Thanks!

robi · Sep 18, 2016, 1:37 PM

+1 for this!

georgeman · Sep 19, 2016, 10:25 PM

I created a feature request on Redmine: #6796

jimp · Sep 20, 2016, 5:00 PM

It would take another completely separate monitoring daemon instance like filterdns for aliases or IPsec endpoints. Given that nobody else has ever requested it and how rare it would be useful in practice, I'm not sure how likely it is that feature would be added or accepted.

What's the use case? Why would you need or want GRE to a dynamic host and no other protocol?

If the other side is pfSense or something else that supports OpenVPN, and you only need to send unencrypted, use OpenVPN with the encryption set to 'none' and you wouldn't need any fiddling with GRE. If it's a third party device of some sort that can only do GRE, that's tougher.

georgeman · Sep 22, 2016, 8:29 PM

Thanks for the heads up Jim, I thought that the implementation would be easier.

This is completely offtopic, but the use case I was looking forward to was automatic failover over IPsec with dynamic hosts as the remote end, using OSPF.

My main office runs pfSense with two WANs. The idea was to set up GRE over IPsec transport mode against all the branch offices (which run a variety of hardware, but all support IPsec, GRE and some flavor of OSPF). Each branch office has 1 internet connection, so the idea is to simultaneously run 2 transport mode tunnels against each branch office, each one originating from one of the two WANs on the main office. Now, as far as I know you can't do this (at least not currently) because the StrongSwan gateway selection is done through added system routes, so you cannot have two transport mode tunnels originating from two different WANs with the same destination.

So the complicated-but-elegant solution I came up with was to tunnel all that within another tunnel: GIF-over IPsec-over GRE.

First set up GRE tunnels between the public IPs of the offices. Then configure IPsec transport mode between those GRE interfaces addresses. Then set up GIF (or GRE, I chose GIF to save on innecessary IP headers) with the other GRE tunnels as endpoints. This GIF tunnel is encrypted and is what OSPF uses for routing.

Sounds complicated but once it is setup it works like a charm (you have to overcome the bug related to mismatched states on tunnels, though, and properly adjust MTU and MSS).

All this works perfectly with static IPs, but the outside GRE tunnel needs to be able to handle dynamic IP endpoints when dealing with some of the branch offices. I guess I can use a script tied to a cron job to monitor the IP changes and trigger the function to reconfigure the GRE interfaces accordingly.

Of course, if the endpoints supported OpenVPN, I would have already resolved this a long time ago :-\

yon 0 · Jan 19, 2021, 9:39 AM

+1 for this.