Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    v2.5.0 GRE over IPsec with stateless rule - keeps creating states

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 479 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mamawe
      last edited by

      I have set up an IPsec connection between two pfSense with GRE on top.
      Because of issue 4479 I have set up a stateless floating firewall rule and connected it to the GRE interface on both sides.

      Addresses:

      10.105.252.6		<=>	10.105.252.5		IPsec ESP
10.105.249.9/30		<=>	10.105.249.10/30	GRE

      The IPsec VPN works fine.
      The GRE interface works in principle.

      But I don't get the traffic up into the program.

      When I test with PING, I get 100 % loss, but the capture shows the return traffic:

      sudo ping -s 500 10.105.249.10
Password:
PING 10.105.249.10 (10.105.249.10): 500 data bytes
^C
--- 10.105.249.10 ping statistics ---
61 packets transmitted, 0 packets received, 100.0% packet loss
---------------------------- capture -----------------------------
17:11:06.969073 IP 10.105.249.9 > 10.105.249.10: ICMP echo request, id 20257, seq 17, length 508
17:11:07.136630 IP 10.105.249.10 > 10.105.249.9: ICMP echo reply, id 20257, seq 17, length 508
17:11:07.970381 IP 10.105.249.9 > 10.105.249.10: ICMP echo request, id 20257, seq 18, length 508
17:11:08.137955 IP 10.105.249.10 > 10.105.249.9: ICMP echo reply, id 20257, seq 18, length 508

      When I try SSH, the connection times out, but in the capture I can see the return traffic:

      ssh 10.105.249.10
ssh: connect to host 10.105.249.10 port 22: Operation timed out
---------------------------- capture -----------------------------
17:14:30.066379 IP 10.105.249.9.56856 > 10.105.249.10.22: tcp 0
17:14:30.238472 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0
17:14:31.067379 IP 10.105.249.9.56856 > 10.105.249.10.22: tcp 0
17:14:31.242268 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0
17:14:32.261091 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0
17:14:33.275668 IP 10.105.249.9.56856 > 10.105.249.10.22: tcp 0
17:14:33.449780 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0
17:14:34.456078 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0
17:14:36.667376 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0

      This happens in both direction and I'm at my wits' end here.
      I have spent quite a few hours but to no avail.

      Can anyone shed a light on this issue?

      Kind regards,
      Mathias

      M 1 Reply Last reply Reply Quote 0
      • M
        mamawe @mamawe
        last edited by

        I worked around the problem in this particular setup by using Routed (VTI) in the child SA. This was possible because there are pfSense on both sides.

        When using other VPN gateways, sometimes I can't use routed IPsec SA and then it would be nice when GRE over IPsec would just work.

        Kind regards,
        Mathias

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.