GRE over IPSEC problem



  • Hello
    I'm working on a project where I was hoping to use OSPF routing over a GRE tunnel over IPSEC and I've encountered some problems. To simplify things I've created a test environment outlined below.

    172.16.0.0/24(LAN)<-[Pfsense 2.0RC3]->(WAN)–>[ROUTER]<–(WAN)<-[Pfsense2.0RC3]->172.17.0.0/24

    Initially I created the GRE link on both boxes, added the interface, created allow all rules on the GRE interfaces and all was good. I could ping across the link between servers on each site and open shares etc. As GRE isn't encrypted the next step was to set up IPSEC transport (not tunnel) mode between the two firewall wan interfaces, which worked fine initially. Pinging between servers worked fine, router logs showed all traffic was in ESP sessions, however any TCP traffic between sites was blocked with the return TCP SYN/ACK being blocked by the far end firewall. This behaviour is exactly the same as described in http://forum.pfsense.org/index.php?topic=33853.0 however in this case there is only one link, and the only way for the SYN packet to get across the link is to traverse the GRE tunnel which is then dropping the return due to state issues.

    Simply unticking enable IPSEC on both firewalls allows everything to work properly using purely GRE.

    Any help would be greatly appreciated.

    Nigel


Log in to reply