• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Adding IPSec to GRE Tunnel breaks TCP connections

Scheduled Pinned Locked Moved IPsec
6 Posts 5 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MLIT
    last edited by Mar 18, 2014, 10:07 PM

    I've attached a diagram below of my test network. Anyway, I'm attempting to use IPSec to encrypt a GRE tunnel. Anyway, my network is configured as such:

    R1:

    WAN: 12.12.12.1/24
    LAN: 10.10.1.0/24
    GRE: 10.10.10.1/30 (Assigned to interface OPT2)

    R2:

    WAN: 12.12.12.2/24
    LAN: 10.11.1.0/24
    GRE: 10.10.10.2/30 (Assigned to interface OPT2)

    Anyway, before I turn on IPSec, everything works as expected. I can ping and connect with TCP between 10.10.1.0/24 and 10.11.1.0/24 .

    Okay now that I turn on IPSec to encrypt the tunnels, I can ping between 10.10.1.200 and 10.11.1.200 (CentOS Box 1 & 2) fine. I've verified the ICMP packets are making it end to end with tcpdump. Anyway, when I try to SSH from 10.10.1.200 (Centos Box 1) to 10.11.1.200 (Centos Box 2), I see the SYN packet from Box 1 trying to set up a TCP session then I see an ICMP destination unreachable packet from R2 indicating that CentOS Box 1 cannot be reached. I will then see several more SYN packets from Box 1 (It is retrying) followed by ICMP destination unreachables from R2 until Box 1 finally gives up.

    So why can't R2 route TCP traffic back to the other subnet but it can route ICMP traffic back? This is not a firewall issue as I've been extremely generous with my allows on all interfaces. Any ideas or help here is much appreciated. Thank you!
    Diagram1.jpg
    Diagram1.jpg_thumb

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Mar 18, 2014, 10:49 PM

      @MLIT:

      So why can't R2 route TCP traffic back to the other subnet but it can route ICMP traffic back

      MTU?

      1 Reply Last reply Reply Quote 0
      • M
        MLIT
        last edited by Mar 19, 2014, 1:45 PM

        @doktornotor:

        MTU?

        I might believe that if it was dying further into the session. This is not relaying the SYN, ACK packet back to the other end however.

        Just to double check I set the MTU of both CentOS boxes to 1000 (I have ethernet between everything) and the same thing occurs.

        1 Reply Last reply Reply Quote 0
        • P
          pfsuser246
          last edited by Jun 27, 2016, 1:51 PM

          Did this ever get resolved?

          I am seeing the same thing with GRE over IPSec, with PFSense 2.3.1-RELEASE-p5.

          If I disable pf (pfctl -d) traffic flows as expected
          If I remove IPsec transport mode for the GRE tunnel, traffic flows as expected (with pf enabled or disabled)

          There seem to be a few posts relating to issues with GRE over IPsec, so maybe there is a deeper issue:
          Bug 207598 - pf adds icmp unreach on gre/ipsec somehow
          (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598)
          Although this one seems to be related to MTU size

          Packets from gre interface bypassing PF?
          https://forums.freebsd.org/threads/55181/
          This might be related if the state tables are incorrect if packets flow via GRE into a pfsense firewall.

          Is anyone successfully using GRE over an IPSec tunnel with firewalling enabled?

          Kind regards,
          Mike

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Jul 6, 2016, 2:35 PM

            I've seen a couple customers running it with success and I don't recall them needing any specific workarounds.

            If there is an issue with your configuration and states not being added correctly, which may mimic the symptoms of asymmetric routing, you can solve that with the same rules used to allow asymmetric routing: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules#Manual_Fix

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jammcla
              last edited by Jul 7, 2016, 1:45 AM Jul 7, 2016, 12:18 AM

              2.3.1-RELEASE-p5(amd64)

              On the link jimp posted:

              I tried the manual fix for my GRE Tunnel over IPSEC and it allowed the traffic through.  Tried the Automatic Fix and it didn't work, so will have to do the manual fix for all the traffic.

              I see ticket 4479 talks about the issue:

              https://redmine.pfsense.org/issues/4479

              So trying to dig into this a bit further:

              While creating rules to allow the traffic I ended up creating both rules on the Floating tab.

              Rule 1:
              GRE Interface, direction out, Source was the local network, destination was the remote network, any TCP flags, and Sloppy State

              Rule 2:
              Local Network interface,  direction in, source was the Remote network, destination was the local network, any TCP Flags, and Sloppy State

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received