[Swan] having trouble getting libreswan and gre to work together

[Jerry Scharf]

Hi,

I hope this isn't in the archives, they are not up right now.

I have what I think is a pretty simple setup and goal. I have a few 
ipsec links and am trying to set up gre tunnels over them so I can then 
run routing protocols and send traffic over them. These are backups for 
point to point links in our network.

I am running on centos 7 and the repo version on libreswan. The system 
is running a 4.9 kernel, other than that it's stock.

The symptoms are as follow: I can ping back and forth from the left and 
right machines to the 172.19.10.x/32 subnets. With tcpdump I see the esp 
packets go back and forth. When I try to ping the far gre tunnel 
endpoint, I can see the edp packets with tcpdump but a tcpdump of the 
gre tunnel on the far end, nothing comes out. (I tried to do this at 
first with systemd-networkd setting up the gre tunnel. When that didn't 
work, I went back to basics.) I have iptables running, but it passes all 
traffic to/from 172.16.0.0/12.

I assume there is something dumb I am doing wrong. Can someone point me 
in the right direction?

thanks in advance,

jerry

here is my current config that gets included:

# generated by ansible libreswan.j2
conn cst_sgs_int
     leftid=@cstborder1
     left=e.f.g.h
     leftsourceip=172.19.10.1
#    leftprotoport=gre
     rightid=@sgsborder2
     right=a.b.c.d
     rightsourceip=172.19.10.2
     leftrsasigkey=...
     rightrsasigkey=...
#    rightprotoport=gre
     authby=rsasig

conn cst_sgs_intsubnet
     also=cst_sgs_int
     leftsubnet=172.19.10.1/32
     rightsubnet=172.19.10.2/32
     auto=start

here are the commands I use to set up the gre tunnel (one side)

ip tunnel add sgs-cst-int mode gre remote 172.19.10.2 local 172.19.10.1 
ttl 64
ip link set sgs-cst-int up
ip addr add 172.19.12.1 dev sgs-cst-int
ip route add 172.19.12.2/32 dev sgs-cst-int


-- 
Soundhound Devops
"What could possibly go wrong?"