v2.5.0 GRE over IPsec with stateless rule - keeps creating states
-
I have set up an IPsec connection between two pfSense with GRE on top.
Because of issue 4479 I have set up a stateless floating firewall rule and connected it to the GRE interface on both sides.Addresses:
10.105.252.6 <=> 10.105.252.5 IPsec ESP 10.105.249.9/30 <=> 10.105.249.10/30 GRE
The IPsec VPN works fine.
The GRE interface works in principle.But I don't get the traffic up into the program.
When I test with PING, I get 100 % loss, but the capture shows the return traffic:
sudo ping -s 500 10.105.249.10 Password: PING 10.105.249.10 (10.105.249.10): 500 data bytes ^C --- 10.105.249.10 ping statistics --- 61 packets transmitted, 0 packets received, 100.0% packet loss ---------------------------- capture ----------------------------- 17:11:06.969073 IP 10.105.249.9 > 10.105.249.10: ICMP echo request, id 20257, seq 17, length 508 17:11:07.136630 IP 10.105.249.10 > 10.105.249.9: ICMP echo reply, id 20257, seq 17, length 508 17:11:07.970381 IP 10.105.249.9 > 10.105.249.10: ICMP echo request, id 20257, seq 18, length 508 17:11:08.137955 IP 10.105.249.10 > 10.105.249.9: ICMP echo reply, id 20257, seq 18, length 508
When I try SSH, the connection times out, but in the capture I can see the return traffic:
ssh 10.105.249.10 ssh: connect to host 10.105.249.10 port 22: Operation timed out ---------------------------- capture ----------------------------- 17:14:30.066379 IP 10.105.249.9.56856 > 10.105.249.10.22: tcp 0 17:14:30.238472 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0 17:14:31.067379 IP 10.105.249.9.56856 > 10.105.249.10.22: tcp 0 17:14:31.242268 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0 17:14:32.261091 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0 17:14:33.275668 IP 10.105.249.9.56856 > 10.105.249.10.22: tcp 0 17:14:33.449780 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0 17:14:34.456078 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0 17:14:36.667376 IP 10.105.249.10.22 > 10.105.249.9.56856: tcp 0
This happens in both direction and I'm at my wits' end here.
I have spent quite a few hours but to no avail.Can anyone shed a light on this issue?
Kind regards,
Mathias -
I worked around the problem in this particular setup by using Routed (VTI) in the child SA. This was possible because there are pfSense on both sides.
When using other VPN gateways, sometimes I can't use routed IPsec SA and then it would be nice when GRE over IPsec would just work.
Kind regards,
Mathias