Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Transport Mode brings down GRE Tunnel

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xtropx
      last edited by

      Hello.
      I have a GRE tunnel between two sites set up and working fine. Using OSPFd to transmit routes between them. I set up IPSEC in transport mode using the public IP addresses between sites and instantly I can see the GRE tunnel go down. I check status > gateways and they are offline. Nothing in IPSEC log that would indicate a problem with the IPSEC tunnel itself. status > ipsec does have the yellow X "error" but appears to set up properly.

      I am just wondering if there is a better way from a design perspective to do this, whether it be with pfsense or in some other fashion. I was looking into OpenVPN but I am unsure whether I can get OSPFd working over that tunnel either. If all else fails I will just do some redesign of IP addressing and use a summary route over IPSEC in tunnel mode, or with OpenVPN, but I would like to continue to use OSPFd if possible. Thoughts?

      Regards,

      xtropx

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That means your IPsec isn't setup correctly. That scenario works where transport mode IPsec is properly configured. It also works with OpenVPN.

        1 Reply Last reply Reply Quote 0
        • X
          xtropx
          last edited by

          Hi I am back again. I've been using IPSEC in tunnel mode for a while but I am giving transport another go.
          I have tried again and I cannot get IPSEC transport mode to come up.
          I have disabled IPSEC ESP and am just using AH for the time being.
          I have allowed both protocols on the WAN interface (ESP & HA) from the public IP address of each side to "any" (as well as ICMP from either sides)
          Prefer old IPSEC SAs is OFF

          I have:
          IP: IPv4
          INTERFACE: WAN
          REMOTE GATEWAY: PUBLIC IP OF OTHER SIDE
          AUTHENTICATION PROTOCOL: Mutual PSK
          NEGOTIATION: Agressive
          MY IDENTIFIER: My IP Address
          PEER IDENTIFIER: Peer IP Address
          PRESHARED KEY: <psk>(COPY & PASTED, THEY ARE THE SAME)
          POLICY GENERATION: Default
          PROPOSAL CHECKING: Default
          ENCRYPTION ALGORITHM: 3DES
          HASH ALGORITHM: SHA384
          DH KEY GROUP: 2(1024 bit)
          LIFETIME: 28800
          NAT TRAVERSAL: DISABLE
          DEAD PEER: UNCHECKED

          And for Phase 2:

          MODE: TRANSPORT
          PROTOCOL: AH
          HASH ALGORITHMS: MD5
          PFS KEY GROUP: OFF
          LIFETIME: 86400
          AUTOMATICALLY PING HOST: BLANK

          I know in IPSEC it is CRITICAL to make sure sides match, so I have ensured. I've deleted the SPD on both sides and restart racoon and still comes up with "error" under Status > IPSEC. No obvious errors in the logs (Ive googled just about everything in there)
          GRE is up and running, with OSPF over it. I can ping/access my remote subnets, but it breaks when I turn on IPSEC. I'd be really grateful for any ideas!</psk>

          Regards,

          xtropx

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.