Page 1 of 1

Ensure GRE is going trough IPsec with Firewall

Posted: Thu Apr 04, 2019 12:38 pm
by n4p
Hi there,
i am currently strugeling a litte bit.
To get gre working through ipsec i need to add a rule to allow gre from the same source where the ipsec establishes.
So if i understand that right that gre would be open as port from this source?

If i disable those rule gre won't work any more.

So what is the right way to do this?

Re: Ensure GRE is going trough IPsec with Firewall

Posted: Thu Apr 04, 2019 3:20 pm
by Sob
You're looking for ipsec-policy matcher. Depending on style of your firewall, either allow GRE packets matching ipsec-policy=in,ipsec or block GRE pacekts matching ipsec-policy=in,none. And similar for outgoing.

Re: Ensure GRE is going trough IPsec with Firewall

Posted: Thu Apr 04, 2019 4:31 pm
by eworm
My Firewall has:
/ ip firewall filter add action=reject chain=output ipsec-policy=out,none protocol=gre
That serves me well.