I ran into some kernel panics (watchdog reset) with GRE + ESP/Transport (or ESP+GRE) back in the day. It was related to MTU assumptions etc. There was a sendbug(8) related to it. Google "seklecki gre ipsec openbsd"
http://archives.neohapsis.com/archives/openbsd/2006-01/0623.html etc... On Sun, 2007-03-25 at 09:55 -0700, Chris Jones wrote: > Hey all, > > I know that it's possible to run GRE over and IPsec tunnel but I am > wondering if anyone here has seen some good documentation (besides the man > pages) or a howto on setting this up. I'm trying to config my OpenBSD > 4.0firewall to interop with a route-based VPN network with a mix of > Fortigate > and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as > "tunnel interfaces" when creating route-based VPN tunnels. Right now all > endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would > like to use a similar configuration on the OpenBSD side but I am just > wondering how to accomplish this as I am uncertain how to bind the GRE > interface to a tunnel. > > Right now I have a hub-and-spoke VPN network using static routes to route > traffic across the VPN. Each spoke endpoint has a static destination route > of 10.1.0.0/16 which is sent over GRE interface. The only exception to the > hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN tunnels > to every spoke network I need access to (quite painfull). On my OpenBSD box > I would like to be able to use a single static destination route of > 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest of > the VPN network. Here's a snippet of the hub-and-spoke VPN network: > > 1.1.1.1 > ---------------- > OpenBSD > 10.1.1.0/24 > ---------------- > | > | > | > | > 2.2.2.2 > ---------------- > Fortigate (Hub) > 10.1.2.0/24 > ---------------- > | > | > | > | > 3.3.3.3 > ---------------- > Juniper > 10.1.3.0/24 > ---------------- > > Thanks in advance for your help. > > Cheers, > -Chris