pfSense Support Subscription

Author Topic: GRE/GIF tunnel was broken on IPSec Tunnel  (Read 1690 times)

0 Members and 1 Guest are viewing this topic.

Offline kennylam

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
GRE/GIF tunnel was broken on IPSec Tunnel
« on: October 18, 2015, 10:20:01 pm »
The setup was drawn and is attached.
pfSense: WAN 1.2.3.4 / IPSec tunnel 172.16.1.1 / GRE tunnel 192.168.100.1
VyOS: WAN 2.3.4.5 / IPSec tunnel 172.16.2.1 / GRE tunnel 192.168.100.2

pfSense version : 2.2.5-snapshot(12-Oct-2015)

The problem can be reproduce by using the same setup (VyOS side can be replaced by any linux router with GRE/IPIP tunnel support) and using iperf3 to perform bandwidth tests.

Case 1 (Working, when traffics goes through IPSec tunnel):
pfSense: iperf3  -c 172.16.2.1
VyOS: iperf3 -s

Case 2 (Working, when traffics goes through GRE tunnel on WAN interface, unencrypted):
pfSense: iperf3  -c  192.168.100.2
VyOS: iperf3 -s

Case 3 (Not working, when traffics from pfSense goes through GRE tunnel on IPSec tunnel, encrypted):
pfSense: iperf3  -c 192.168.100.2 (Operation not permitted was shown in shell)
VyOS: iperf3 -s


Case 4(Working, when traffics from VyOS goes through GRE tunnel on IPSec tunnel, encrypted):
pfSense: iperf3  -c 192.168.100.2  -R
VyOS: iperf3 -s

The reason using GRE over IPSec tunnel is that I want to keep IPSec settings clean , as subnets on both side will changes and I don't want to insert each combination of subnets into IPSec tunnel, OSPF were deployed.

GRE Tunnel over IPSec transport is not desirable as both sides are using WAN connection with Dyanmic IP, only IPSec tunnel mode can provide a connection with static IP.

I had tired to use LAN interface as parent interface of GRE/GIF tunnel, and then using IPSec Tunnel to bridge two subnet, the same problem still exists.
« Last Edit: October 18, 2015, 11:01:15 pm by kennylam »