[Swan] Multicast over GRE over IPSec

Richard Scheffenegger rscheff at gmx.at
Wed Aug 12 12:36:56 UTC 2020

Hi gentlepeople,

I hope I can pick your collective brains around an issue which is
frustrating me...

First, I have two VMs hosted at a hyperscaler, who does not allow IP
Multicast over his L2 "overlay" network connecting these VMs. Furthermore,
plain GRE is also disallowed by policy in this environment.

But IPsec tunnels work fine - each VM has interfaces "facing" each other
over the same IP subnet - however the respective remote MAC is just the same
MAC as the default gateway (the L2 overlay is not fully transparent, more
alike ProxyARP).

Anyway, setting up an IPsec tunnel is easy enough.

As is setting up a GRE tunnel (L3 or L2 encapsulation doesn't matter). And I
can see that unicast traffic between these tunnel endpoints is (only) IPsec
encrypted and responded to (ping works).

However, all the GRE encapsulated traffic does get sent out, and is
received. But once the IPsec layer has decoded the inner GRE packet, it
appears to not get handed off to the ip_gre driver, and is instead just
visible (with GRE header) on the destination interface when taking a

Conversely, tracing the GRE interface does only show the outbound traffic,
but never any inbound traffic...

I've seen similar reports around IPsec across two-way NATs (but here the
src/dst IP of the endpoint is on the same logical subnet); setting all
rp_filters to zero doesn't change anything.

At the moment it appears as if the IPsec library, instead of properly
handing off the decoded packet to any other higher layer protocol handler,
simply dumps the decoded frame to the destination interface.

Since I'm not that well versed in troubleshooting the linux packet handlers
/ traffic control architecture, and help would be highly appreciated!

Thanks a lot,

More information about the Swan mailing list