How-to on GRE over IPSEC?

  • I'm looking to add GRE tunnels over IPSEC for fail-over. I've been unable to find a how-to. Any pointers?

    This is for two IPSEC tunnels between 2 offices. pfSense 2.4.2 on Netgate hardware in both offices. Both offices have multiple ISPs, both have static IPs. I'm looking to use GRE and routing to enable fail-over of the IPSEC tunnels between the two offices - unless there's a better way?
    I had this working between a pair of snapgear boxes; required a bit of scripting to change routing when one route became unavailable.

  • It can be done but with a couple of caveats, the main problem is that you have to pretty much turn off the firewall over the tunnels (!!!) due to #4479

    Also, strongSwan cannot currently establish 2 tunnels to the same destination IP from different interfaces (because the gateway selection is based on hidden static routes). To overcome this you can do the other way around, first GRE and then encrypt the tunnels (IPsec-over-GRE) or even set up another tunnel inside the other one.

    Finally, you can use OSPF to handle the failover but beware there is a long going unresolved issue with Quagga in which some routes are incorrectly marked as kernel routes and never cleared on restart, rendering the configuration useless. You may have better luck with frr.

    Two more points, remember to tweak MSS clamping appropriately to avoid performance issues, and also you can use GIF instead of GRE to save on some bytes.

    You can also achieve all the same thing with OpenVPN + OSPF by the way.

Log in to reply