I have accepted:Maybe firewall rule? For GRE/IPsec you need to accept on input:
- udp port 500
- protocol esp
- protocol gre with IPsec policy: in:ipsec
add action=accept chain=forward ipsec-policy=in,ipsec
I made new rule with ipsec input accept, but it didn't help. However, IPSec is connecting (I can see keys, and link established) but GRE interface is not running. When I disable IPSec in GRE config, then the interface works fine.The rule you mentioned has chain=forward.
Maybe you made the same oversight in the other 3 rules?
It should be chain=input for this, not chain=forward. That is for plain IPsec tunnels only.