GRE is not being encapsulated



  • Hello friends, I've set up and IPsec tunnel in transport mode between PFsense and ubuntu strongswan, then I've put GRE tunnel on top of it, but traffic from PFsense is not being encapsulated.
    Here is tcpdump on ubuntu:

    
    18:40:00.217683 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: isakmp-nat-keep-alive
    18:40:00.245526 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xca9265ad,seq=0xa), length 116
    18:40:00.249006 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 60: IP 100.64.1.10 > 100.64.1.9: ICMP 224.0.0.5 protocol 89 unreachable, length 36
    18:40:00.598030 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4950, length 8
    18:40:01.129026 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4951, length 8
    
    

    Here is tcpdump on ubuntu if I'm trying to ping from ubuntu:

    
    18:44:38.303196 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xcc861264,seq=0x18), length 132
    18:44:38.305989 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 88: IP 100.64.1.10 > 100.64.1.9: ICMP echo reply, id 17695, seq 8, length 64
    
    

    So from ubuntu side it being encapsulated, so request goes encapsulated, but reply goes unencrypted.

    172.xx.xx.130 - ubuntu side local ip behind nat
    210.xx.xx.44 - pfsense side WAN ip
    100.64.1.10 - GRE IP on PFSense side
    100.64.1.9 - GRE IP on ubuntu side

    Thanks for help!



  • So I found when it occur, after you first time create a gre over ipsec everything works great, but after reboot it created GRE, and then IPsec, so GRE is not being encrypted. Is it a bug?


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy