GRE is not being encapsulated

melaz

Hello friends, I've set up and IPsec tunnel in transport mode between PFsense and ubuntu strongswan, then I've put GRE tunnel on top of it, but traffic from PFsense is not being encapsulated.
Here is tcpdump on ubuntu:

18:40:00.217683 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: isakmp-nat-keep-alive
18:40:00.245526 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xca9265ad,seq=0xa), length 116
18:40:00.249006 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 60: IP 100.64.1.10 > 100.64.1.9: ICMP 224.0.0.5 protocol 89 unreachable, length 36
18:40:00.598030 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4950, length 8
18:40:01.129026 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4951, length 8

Here is tcpdump on ubuntu if I'm trying to ping from ubuntu:

18:44:38.303196 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xcc861264,seq=0x18), length 132
18:44:38.305989 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 88: IP 100.64.1.10 > 100.64.1.9: ICMP echo reply, id 17695, seq 8, length 64

So from ubuntu side it being encapsulated, so request goes encapsulated, but reply goes unencrypted.

172.xx.xx.130 - ubuntu side local ip behind nat
210.xx.xx.44 - pfsense side WAN ip
100.64.1.10 - GRE IP on PFSense side
100.64.1.9 - GRE IP on ubuntu side

Thanks for help!

melaz

So I found when it occur, after you first time create a gre over ipsec everything works great, but after reboot it created GRE, and then IPsec, so GRE is not being encrypted. Is it a bug?