Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    GRE over IPSEC problem

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wrighng
      last edited by

      Hello
      I'm working on a project where I was hoping to use OSPF routing over a GRE tunnel over IPSEC and I've encountered some problems. To simplify things I've created a test environment outlined below.

      172.16.0.0/24(LAN)<-[Pfsense 2.0RC3]->(WAN)–>[ROUTER]<–(WAN)<-[Pfsense2.0RC3]->172.17.0.0/24

      Initially I created the GRE link on both boxes, added the interface, created allow all rules on the GRE interfaces and all was good. I could ping across the link between servers on each site and open shares etc. As GRE isn't encrypted the next step was to set up IPSEC transport (not tunnel) mode between the two firewall wan interfaces, which worked fine initially. Pinging between servers worked fine, router logs showed all traffic was in ESP sessions, however any TCP traffic between sites was blocked with the return TCP SYN/ACK being blocked by the far end firewall. This behaviour is exactly the same as described in http://forum.pfsense.org/index.php?topic=33853.0 however in this case there is only one link, and the only way for the SYN packet to get across the link is to traverse the GRE tunnel which is then dropping the return due to state issues.

      Simply unticking enable IPSEC on both firewalls allows everything to work properly using purely GRE.

      Any help would be greatly appreciated.

      Nigel

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.