<div dir="ltr"><div dir="ltr">Hi<div>Check the sample-config/info in the attached doc. Maybe it will help</div><div><br></div><div>One thing i check from my experience (especially for tunnel-mode ipsec) is that on the R1 and R2, eventhough they may be connected back-to-back/in-same-subnet (as per your config posted), you should still ensure that the "default-route/default-gw" is configured/added on each of the routers....</div><div><br></div><div>hope this is of some help</div><div><br></div><div>thanks & regards</div><div>Rajiv</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Dec 11, 2021 at 1:13 AM Makarand Pradhan <<a href="mailto:MakarandPradhan@is5com.com">MakarandPradhan@is5com.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Everyone,<br>
<br>
This email is regarding GRE over IPSec. I'm observing some interesting behaviour which I am not able to understand. Would highly appreciate your views.<br>
<br>
Issue:<br>
GRE over IPSec works in tunnel mode when I use raspberry Pis as end devices.<br>
Pi on LAN<--> R1 Router running strongswan <-Internet--> R2 Router running strongswan <--> Pi on LAN<br>
<br>
When I try to use Spirent ports instead of Pis, only transport mode works. Tunnel mode does not push GRE packets into IPSec tunnel.<br>
<br>
Question:<br>
Can anyone give a hint as to why tunnel mode would work when the end points are Pis?<br>
Or Why Spirent traffic only supports transport?<br>
<br>
The relevant configuration is given below<br>
<br>
Linux strongSwan U5.8.2/K4.1.35-rt41<br>
<br>
R1:<br>
Ipsec.conf<br>
right=172.16.100.101<br>
rightid=172.16.100.101<br>
rightsubnet=<a href="http://172.16.100.101/32%5Bgre%5D" rel="noreferrer" target="_blank">172.16.100.101/32[gre]</a><br>
left=172.16.100.1<br>
leftid=172.16.100.1<br>
leftsubnet=<a href="http://172.16.100.1/32%5Bgre%5D" rel="noreferrer" target="_blank">172.16.100.1/32[gre]</a><br>
<br>
ip a s tunnel1<br>
19: tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default<br>
link/gre 172.16.100.1 peer 172.16.100.101<br>
inet <a href="http://10.10.1.1/24" rel="noreferrer" target="_blank">10.10.1.1/24</a> scope global tunnel1<br>
valid_lft forever preferred_lft forever<br>
<br>
R2:<br>
Ipsec.conf<br>
right=172.16.100.1<br>
rightid=172.16.100.1<br>
rightsubnet=<a href="http://172.16.100.1/32%5Bgre%5D" rel="noreferrer" target="_blank">172.16.100.1/32[gre]</a><br>
left=172.16.100.101<br>
leftid=172.16.100.101<br>
leftsubnet=<a href="http://172.16.100.101/32%5Bgre%5D" rel="noreferrer" target="_blank">172.16.100.101/32[gre]</a><br>
<br>
ip a s tunnel1<br>
19: tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default<br>
link/gre 172.16.100.101 peer 172.16.100.1<br>
inet <a href="http://10.10.1.2/24" rel="noreferrer" target="_blank">10.10.1.2/24</a> scope global tunnel1<br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
Thanks.<br>
<br>
Kind rgds,<br>
Makarand Pradhan<br>
Senior Software Engineer.<br>
iS5 Communications Inc.<br>
5895 Ambler Dr,<br>
Mississauga, Ontario<br>
L4W 5B7<br>
Main Line: +1-844-520-0588 Ext. 129<br>
Direct Line: +1-289-724-2296<br>
Cell: +1-226-501-5666<br>
Fax:+1-289-401-5206<br>
Email: <a href="mailto:makarandpradhan@is5com.com" target="_blank">makarandpradhan@is5com.com</a><br>
Website: <a href="http://www.iS5Com.com" rel="noreferrer" target="_blank">www.iS5Com.com</a><br>
<br>
<br>
Confidentiality Notice: <br>
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.<br>
<br>
</blockquote></div></div>