This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Masquerading not working in case of GRE path through

Hello, everybody,

I've been trying to establish a GRE connection from a system in the internal network through the UTM to a public cloud IP address for hours now.

Since the UTM is a bit underdeveloped in terms of touch shooting, I record the outgoing traffic (WAN) with Wireshark.   
The problem is that the WAN capture shows me that masquerading works perfectly for normal TCP/IP packets. But as soon as I build the GRE tunnel, the packets leave the WAN interface with their internal address, so they can't be routed back. A normal pring or TCP connection without GRE is normally masked with the public IP.

Even an active SNAT has no influence on this.  



This thread was automatically locked due to age.
Parents
  • Hi,

    what protocols are you using to build your tunnel? The UTM logs will show you plenty details, have a look in the firewall log.

    You should have a firewall rule allowing the traffic out, GRE and possibly port 4500.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian,

     

    there is a Firewall rule

    internal System IP / ANY protokol / Public IP of the Cloud

    There is also an Masquerading for the Subnet and an SNAT From: System IP/ Service: any / To: Public IP of the Cloud / Change source to Public IP

    For me i don't know why it works on Header:: MAC / PTP / IP / TCP;UDP and not for Header MAC / PTP / IP / GRE / IP / TCP,UDP 

    The Logs are not helpfull in this case unfortunately..

    Hope the support knows more.

     

    Thanks for your answer.

     

     

  • Hallo Andreas and welcome to the UTM Community!

    Six years ago, member mircevski started the ASTARO to CISCO GRE tunnel thread.  He proposed the following:

     ASTARO side:
     iptunnel add tun0 mode gre remote xx.xx.xx.xx local yy.yy.yy.yy ttl 255
     ifconfig tun0 inet 172.16.8.2 netmask 255.255.255.0
     ifconfig tun0 up

     CISCO side:
     interface Tunnel0
     ip address 172.16.8.1 255.255.255.0
     tunnel source xx.xx.xx.xx
     tunnel destination yy.yy.yy.yy

     
    In the same thread, da_merlin (the IPsec guru that adapted StrongSWAN to the UTM) commented:

    Your CLI command works for we connection to ASGs with GRE.

    Do you setup packetfilter rules on ASG, allowing protocol 47?
    You must create two rules, one with Interface Address object as Source
    and one with Interface Address object as Destination. This will create
    the necessary USR_INPUT and USR_OUTPUT rules. Otherwise the rules are put
    in USR_FORWARD if you choose ANY or a custom created network definition.

    If you can get this to work, please show your work here or on that other thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo Andreas and welcome to the UTM Community!

    Six years ago, member mircevski started the ASTARO to CISCO GRE tunnel thread.  He proposed the following:

     ASTARO side:
     iptunnel add tun0 mode gre remote xx.xx.xx.xx local yy.yy.yy.yy ttl 255
     ifconfig tun0 inet 172.16.8.2 netmask 255.255.255.0
     ifconfig tun0 up

     CISCO side:
     interface Tunnel0
     ip address 172.16.8.1 255.255.255.0
     tunnel source xx.xx.xx.xx
     tunnel destination yy.yy.yy.yy

     
    In the same thread, da_merlin (the IPsec guru that adapted StrongSWAN to the UTM) commented:

    Your CLI command works for we connection to ASGs with GRE.

    Do you setup packetfilter rules on ASG, allowing protocol 47?
    You must create two rules, one with Interface Address object as Source
    and one with Interface Address object as Destination. This will create
    the necessary USR_INPUT and USR_OUTPUT rules. Otherwise the rules are put
    in USR_FORWARD if you choose ANY or a custom created network definition.

    If you can get this to work, please show your work here or on that other thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data