BGP doesn't work between two Zywall connected via GRE over IPSec.

Alexander_Morozov2
edited April 2021 in Security

We faced a big problem, when our commertial partner have to be connected to our GW via GRE over IPSec with BGP support. And we have no choice.

We tried to implement such a type of connection between our own routers first and failed. (brief description of the issue below) ?

Who can kindly help us with that ? I am ready to share our config with a support team.

----------------------------

Issue description.

We have two Zywall routers:310 and 110, both connected to Internet.

At the first time we established an un-encrypted tunnel (GRE) between them. Everything was fine. We can ping the opposite side of the tunnel, we can ssh to the oposite gw (by its tunnel's interface), bgp works and announcing what it must announce.

Once we put our GRE tunnel into IPSec tunnel, we can just ping the opposite side, ssh don't work, BGP does not announce. Packet capture (on tunnel interface) shows, that gateways tries to establish TCP connection with each other, but only outgoing SYN-SENT packets are seen, no one SYN-RECIEVED are got.

Just to be clear:

Routing through the tunnel works fine, we can route our LANs through such a tunnel using routing policy, or even by the static route, but it's not an issue.

The issue is that _BGP_ doesn't work, because during BGP session, gateways have to interact directly through the tunnel and have to establish TCP session between them, using thair tunnel interfaces. And they DO NOT.

Thanks in advance!

----------------------------

We used this manuals to get familiar with GRE/IPSec configurations on Zywall:

https://www.manualslib.com/manual/1231995/Zyxel-Communications-Zywall-110.html?page=20#manual

https://businessforum.zyxel.com/discussion/2845/gre-over-ipsec-vpn-tunnel-vpn-failover

and some other...

Accepted Solution

All Replies

Security Highlight