Transport mode comes up and GRE goes down.



  • I found an old thread with no resolution:

    Hello.
    I have a GRE tunnel between two sites set up and working fine. Using OSPFd to transmit routes between them. I set up IPSEC in transport mode using the public IP addresses between sites and instantly I can see the GRE tunnel go down. I check status > gateways and they are offline. Nothing in IPSEC log that would indicate a problem with the IPSEC tunnel itself. status > ipsec does have the yellow X "error" but appears to set up properly.

    I am just wondering if there is a better way from a design perspective to do this, whether it be with pfsense or in some other fashion. I was looking into OpenVPN but I am unsure whether I can get OSPFd working over that tunnel either. If all else fails I will just do some redesign of IP addressing and use a summary route over IPSEC in tunnel mode, or with OpenVPN, but I would like to continue to use OSPFd if possible. Thoughts?
    Report to moderator    Logged
    Regards,

    xtropx

    I seem to be in the same boat. I would like to be able to use OSPF with networks connected via IPsec and GRE according to the pfSense book

    IPsec in transport mode can use GRE for tunneling encrypted traffic in a way that allows for traditional routing or the use of routing protocols.

    (Hope its ok to quote that here) However I can not make this work. the IPsec connects with no issues at all but as soon as it does I loose my GRE tunnel.

    Both IPsec and GRE are using the same external IP address, both IPsec and GRE work but not at the same time!



  • I found out that by default pfSense tries to do NAT on GRE tunnels.. I set a rule to disable NAT on the GRE interface and I am still stuck on this issue. Any input would be greatly appreciated.



  • Actually i seem to be stuck in a similar way.
    Set up GRE Tunnel to use it whith Gateway Groups as a Failover solution to a directed radio connection.
    Everything works fine as long as i do not enable IPSEC in Transport Mode between the two pfSense node. If the Tunnel is up all traffic to the other side is blocked but the GRE Endpoints. The GRE Endpoints are able to ping each other as they did before the IPSEC Connection.
    Really frustrating.
    Love pfSense and its Open Source character, we are using it a lot in our datacenter but this is really a PITA.



  • If you have created the GRE tunnel before the IPSEC Transport mode, then i would suggest a reset of the state table to bring the GRE tunnel back up on both sides.  It has to be  a full reset of the state table.

    So Diagnostics -> States -> Reset States

    Make sure the box is checked to reset the firewall state table, and then click reset.  Everything will seem like it is lagging for a bit then it all should come back fine.

    Also then you will have to change the NAT settings to manual for easier use.

    So Firewall -> NAT -> Outbound

    Change it to Manual Outbound NAT.  Then you will have to Delete GRE interface Mappings so it doesn't NAT the traffic going out over that interface.



  • Hmm, done that but no changes.
    It seems to have to do with my Gateway Group or some kind of routing issue.
    if i set a static route to one of the interfaces traffic is able to pass to the other side. If i delete the static route and try to route via a firewall policy on LAN Port which directs the traffic of the mentioned LAN to Subnet X over my Gateway Group i am not able to route to the other side, I am also not able to set two static routes with different administrative distances on 2 different routers with the same subnet as target am i? Next try: maybe it'll run with a routing protocol on those interfaces, thought i could avoid using routing protocols on this P2P connection… Or am i completely on the wrong way? Has anybody done a similar configuration before? I could use OpenVPN maybe but the other sides router will be a Juniper SSg140, this machine is not able to handle OpenVPN so this makes no sense.



  • Okay, using RIP it kinda works… it fails over to the active Interface which it gets the rip advertisement from cause there is no weighting regarding administrative distance or bandwidth in RIP so i may need to use OSPF, i'll give it a try. Still would be nice to know if there is a solution without the need of a routing protocol. In Cisco routers i am able to set the AD for a specific route and i am able to set more gateways to one network, this possibility seems not to be implemented in pfSense or is it a hidden feature anywhere?



  • This has been something I have been wanting to get more familiar with.  If I find some time in the next few days I will see if I can mess around with it if i can find a test system open.

    What version of pfSense are you on(so I can match in testing)?

    Are you able to get the GRE Gateways to show up after enabling the transport VPN now?



  • Yes, tunnels are up and i am able to route around while using static routes with the GRE Tunnel after Killing all states, but this is not really a good solution cause everytime i reboot the firewall i need to reset the state table by hand, the IPSec tunnel seems to come up right after the GRE Tunnel on reboot what seems to cause known condition.
    Is there a way to modifie the starting order of services in pfsense right away from the web interface or is it bringing its stuff up in the order of occurence in its config file. Need to test it…

    I am Using 2.3.2-RELEASE-p1 on both machines running on this little nifty machines https://www.landitec.com/products/x86-network-appliance-hardware/apu2-detail in my lab environment at work. I'll get my hands dirty with OSPF now, did this last time during my computer engineering studies 3 years ago on CISCO ISR gear. Should refresh my mind more often ^^



  • I have a dead simple lab setup.

    10.50.30.0/24 - pfSense - 123.123.100.10 – Internet -- 213.213.50.50 - pfSense - 10.50.181.0/24

    GRE: 123.123.100.10 <-> 213.213.50.50
    tunnel: 192.168.100.1 <-> 192.168.100.2

    IPsec in transport:123.123.100.10 <-> 213.213.50.50

    NAT rules added to stop NAT on GRE interfaces.

    ALL interfaces have any any any rules.

    With IPsec disabled, everything works as expected. I can ping internal tunnel endpoints from both routers and OSPF works like a charm.

    With IPsec enabled even after resetting both state tables, everything goes down on the GRE side. and I can not ping to wan IPs for the routers. However, if I add a P2 tunnel wit the correct LAN IPs that works fine (without GRE enabled).



  • But you are not able to route OSPF over the IPSEC P2 Tunnel are you?