Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    GRE is not being encapsulated

    IPsec
    1
    2
    550
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      melaz
      last edited by

      Hello friends, I've set up and IPsec tunnel in transport mode between PFsense and ubuntu strongswan, then I've put GRE tunnel on top of it, but traffic from PFsense is not being encapsulated.
      Here is tcpdump on ubuntu:

      
      18:40:00.217683 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: isakmp-nat-keep-alive
      18:40:00.245526 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xca9265ad,seq=0xa), length 116
      18:40:00.249006 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 60: IP 100.64.1.10 > 100.64.1.9: ICMP 224.0.0.5 protocol 89 unreachable, length 36
      18:40:00.598030 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4950, length 8
      18:40:01.129026 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 32: IP 100.64.1.10 > 100.64.1.9: ICMP echo request, id 18872, seq 4951, length 8
      
      

      Here is tcpdump on ubuntu if I'm trying to ping from ubuntu:

      
      18:44:38.303196 IP 172.xx.xx.130.4500 > 210.xx.xx.44.4500: UDP-encap: ESP(spi=0xcc861264,seq=0x18), length 132
      18:44:38.305989 IP 210.xx.xx.44 > 172.xx.xx.130: GREv0, length 88: IP 100.64.1.10 > 100.64.1.9: ICMP echo reply, id 17695, seq 8, length 64
      
      

      So from ubuntu side it being encapsulated, so request goes encapsulated, but reply goes unencrypted.

      172.xx.xx.130 - ubuntu side local ip behind nat
      210.xx.xx.44 - pfsense side WAN ip
      100.64.1.10 - GRE IP on PFSense side
      100.64.1.9 - GRE IP on ubuntu side

      Thanks for help!

      1 Reply Last reply Reply Quote 0
      • M
        melaz
        last edited by

        So I found when it occur, after you first time create a gre over ipsec everything works great, but after reboot it created GRE, and then IPsec, so GRE is not being encrypted. Is it a bug?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.