GRE is not being encapsulated
-
Hello friends, I've set up and IPsec tunnel in transport mode between PFsense and ubuntu strongswan, then I've put GRE tunnel on top of it, but traffic from PFsense is not being encapsulated.
Here is tcpdump on ubuntu:18:40:00.217683 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: isakmp-nat-keep-alive 18:40:00.245526 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xca9265ad,seq=0xa), length 116 18:40:00.249006 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 60: IP 100.64.1.10 > 100.64.1.9: ICMP 224.0.0.5 protocol 89 unreachable, length 36 18:40:00.598030 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4950, length 8 18:40:01.129026 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4951, length 8Here is tcpdump on ubuntu if I'm trying to ping from ubuntu:
18:44:38.303196 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xcc861264,seq=0x18), length 132 18:44:38.305989 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 88: IP 100.64.1.10 > 100.64.1.9: ICMP echo reply, id 17695, seq 8, length 64So from ubuntu side it being encapsulated, so request goes encapsulated, but reply goes unencrypted.
172.xx.xx.130 - ubuntu side local ip behind nat
210.xx.xx.44 - pfsense side WAN ip
100.64.1.10 - GRE IP on PFSense side
100.64.1.9 - GRE IP on ubuntu sideThanks for help!
-
So I found when it occur, after you first time create a gre over ipsec everything works great, but after reboot it created GRE, and then IPsec, so GRE is not being encrypted. Is it a bug?