Bug #4479


Firewall rules won't match GRE interface after applying IPSEC transport encryption on GRE tunnel

Added by Jonathan Black about 9 years ago. Updated almost 3 years ago.

Operating System
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


I have an issue with IPSEC where my GRE tunnels work fine until I turn on transport encryption with IPSEC. After IPSEC is enabled, I can ping across the tunnel (I can also ping between the hosts on both ends), but any connections across the tunnel will be blocked by the PFSense router on the far end (It appears that none of my rules match anymore and only the default block rule will match). I have been able to reproduce this bug in a physical and virtual environment (I have it running in Hyper-V and can produce that if you wish). Everything will start working correctly again if I disable IPSEC on both ends of the tunnel.

I've attached the backup files for both R1 and R2 PFsense routers. They are configured just as show in the Network Map attached. The GRE tunnel is not shown on the map. R1's GRE interface is R2's GRE interface is The 192.168.25.X network is the WAN interfaces on the routers with the 172.X.X.X interfaces are the LAN interfaces. The default password is "pfsense" on these.

I've also attached pictures of my firewall rules (Allow Everything) and then pictures of the log where an RDP connection is being blocked.

Please let me know if there is anything else I can do to help provide you additional information.


config-R1.localdomain-20150227194833.xml (16.5 KB) config-R1.localdomain-20150227194833.xml R1 Config Jonathan Black, 02/27/2015 03:25 PM
config-R2.localdomain-20150227194831.xml (16.5 KB) config-R2.localdomain-20150227194831.xml R2 Config Jonathan Black, 02/27/2015 03:25 PM
Firewall_Log.JPG (64.4 KB) Firewall_Log.JPG Firewall Log Jonathan Black, 02/27/2015 03:25 PM
Firewall_Rules_GRE.JPG (26.5 KB) Firewall_Rules_GRE.JPG Firewall Rules on GRE interface Jonathan Black, 02/27/2015 03:25 PM
Firewall_Rules_IPSEC.JPG (26.7 KB) Firewall_Rules_IPSEC.JPG Firewall Rules on IPSEC interface Jonathan Black, 02/27/2015 03:25 PM
Network_Map.JPG (99.1 KB) Network_Map.JPG Network Map Jonathan Black, 02/27/2015 03:25 PM
floating_rule_to_block_gre_output.png (71.8 KB) floating_rule_to_block_gre_output.png Wagner Sartori Junior, 08/23/2017 07:02 AM

Related issues

Related to Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedNew07/24/2018

Related to Todo #12289: Update "IPsec Filter Mode" option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE)ResolvedJim Pingle


Also available in: Atom PDF