Recent posts

#1
The most common scenario is either to use a policy based IPsec VPN in tunnel mode without a tunnel interface or use a route based IPsec VPN with a virtual tunnel interface in tunnel mode. I am not aware of any installation that uses GRE in 2026. That's why I asked what you want to achieve with that.

What kind of device is the peer? If it's OPNsense, I'd run WireGuard.
#2
General Discussion / Re: Password Reset
Last post by cookiemonster - Today at 12:23:16 AM
Very good.
#3
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - July 05, 2026, 11:53:24 PM
Quote from: Patrick M. Hausen on July 05, 2026, 09:17:23 PM
Quote from: tbk49 on July 05, 2026, 08:45:46 PMI am using tunnel mode, not transport. That a problem?

That entirely depends on what you want to achieve and how the other side is configured.

In tunnel mode as used in most scenarios you would not run an additional GRE tunnel inside the IPsec tunnel. Why are you doing that?

Maybe because I'm inexperienced and haven't spent months reading the RFCs?

I'm running a site-to-site connection. I'm not sure what you mean by "inside", but my understanding is "GRE/IPSec" = "GRE over IPSec" meaning your local tunnel address is the IPSec loopback IP and the remote tunnel address is the IPSec loopback of the peer. Then you give the GRE interface its own private IP. Then you do dynamic routing via GRE. So for example:-

Device A:

loopback (for IPSec) - 10.22.22.1/30
GRE interface local address - 10.22.22.1/30
GRE interface remote address - 10.22.22.2/30
GRE interface IP - 172.25.1.1/30

Device B:

loopback (for IPSec) - 10.22.22.2/30
GRE interface local address - 10.22.22.2/30
GRE interface remote address - 10.22.22.1/30
GRE interface IP - 172.25.1.2/30

After the IPSec connection passes Phase 2 the GRE interface comes up (should...) and communication is via 172.25.1.0/30 network. Is this what you mean by running GRE 'inside' IPsec? Because if so, that's what I'm doing. What is the most common scenario you refer to?
#4
26.1, 26,4 Series / Re: Change WAN based on RTT/Pi...
Last post by nero355 - July 05, 2026, 10:42:25 PM
I think you would need a Routing Protocol that works with delay as it's metric and is ofcourse used for Internet Routing and not just Private LAN Routing like CISCO's EIGRP for example, but which protocol that would be I have no idea, so maybe someone with more up-to-date information can share his/her input about this :)
#5
General Discussion / IRC release notifications are ...
Last post by gac - July 05, 2026, 10:12:05 PM
There are currently no IRC notifications of new releases, because Chunt timed out a few days back and never reconnected. Could someone give it a kick?
#6
General Discussion / Re: Why do I need to temporari...
Last post by Patrick M. Hausen - July 05, 2026, 09:17:23 PM
Quote from: tbk49 on July 05, 2026, 08:45:46 PMI am using tunnel mode, not transport. That a problem?

That entirely depends on what you want to achieve and how the other side is configured.

In tunnel mode as used in most scenarios you would not run an additional GRE tunnel inside the IPsec tunnel. Why are you doing that?
#7
26.1, 26,4 Series / Re: OPNsense 26.4.1p1_3-amd64 ...
Last post by franco - July 05, 2026, 09:16:56 PM
This is from the major upgrade 25.10 -> 26.4 and it finished correctly eventually:

[196/196] Extracting opnsense-business-26.4: .......... done

You can dismiss this upgrade log so it no longer shows in the audit selection, but keep in mind each major upgrade will generate a new log and present it.


Cheers,
Franco
#8
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - July 05, 2026, 08:53:02 PM
Quote from: lmoore on July 04, 2026, 10:18:41 AM
Quote from: tbk49 on July 03, 2026, 05:57:05 PMI have fw rules on ipsec and WAN to allow GRE protocol.

I don't understand why you would be running GRE over an IPSEC tunnel, is this what you are doing?

Reading through one of the articles, during troubleshooting they mention not setting keep state for the GRE rule.

Have you tried a rule like this for GRE where you have Direction set to Both and set state to no state - advanced option under Stateful firewall?

@625 pass quick on re0 inet proto gre all no state label "c18f1b78-d4dc-46fb-9bb5-61c3ae3d8693"



Since I'm running GRE over IPSec, do I need a GRE rule on WAN, or only IPsec interface, and if only on the IPsec interface, does your suggestion still apply? My understanding is you have a GRE rule on the WAN if you're pointing GRE directly at your WAN IP. I'm not, as I'm using GRE through IPsec. IPsec certainly contacts the WAN IP on UDP 500/4500 though.
#9
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - July 05, 2026, 08:48:16 PM
Quote from: nero355 on July 04, 2026, 04:58:47 PM
Quote from: tbk49 on July 03, 2026, 09:28:01 PMI can't tell whether you are having a joke here or not, but if not, you're telling me opnsense and neither freebsd have solved a 20 year old problem?...
I am telling you what I happen to know : That's all :)

Quote from: Patrick M. Hausen on July 03, 2026, 09:52:16 PMGRE does not have ports. It's its own protocol on top of IP independent of TCP and UDP. Port 0 might be a historical frontend abstraction of some product for not having port numbers at all.
Could be... I can't remember anymore... Too long ago...

Also no further experience with GRE or IPSec :)

Appreciate the feedback nevertheless.
#10
General Discussion / Re: Why do I need to temporari...
Last post by tbk49 - July 05, 2026, 08:45:46 PM
Quote from: Patrick M. Hausen on July 04, 2026, 10:58:59 AM
Quote from: lmoore on July 04, 2026, 10:18:41 AMI don't understand why you would be running GRE over an IPSEC tunnel

At times when VTIs did not yet exist but you wanted a dedicated interface for your IPsec VPN, e.g. to run OSPF on it or similar, a common setup was to establish an IPIP or GRE tunnel and encrypt these packets in transport mode.

I am using tunnel mode, not transport. That a problem?