We are running GRE over IPSec. We define a local loopback address on the dev lo interface(this must be done in the /etc/config/network file as there is UI way to do it) and a loop back on the Sangfor FW. We bring up the IPSec tunnels in both directions with the loopback interfaces at each end….works.
Our problem is the GRE tunnel. After a reboot the IPSec comes up but the GRE tunnel requires a “/etc/init.d/network restart” to come up. I am guessing this is due to the GRE attempting to come up before the IPSec is up.
Is there a way in the UI to set a delay start of the GRE tunnel?
You could use a script to restart GRE after the system boots, with a short delay. To do this, navigate to System → Maintenance → Custom Scripts and add a script similar to the example below.
(This is a basic example that waits 40 seconds after boot before restarting GRE. Since writing custom scripts is outside the scope of our technical support, I’m unable to provide a more advanced version, but this approach should work.)
# Wait 40 seconds for IPsec to establish
sleep 40
# Restart GRE (replace "gre_name" with your actual interface name)
ifup gre_name
I did what you suggested but restarted /etc/init.d/network and it worked about 90% of the time.
I thought it might be issues with the Sangfor FW at the other end so we dropped the GRE tunnels and just went back to ACL (traffic) controlled IPSec on its own.
Now I get the following issue:
After reboot, the tunnel comes up fine fron the ssh console,
From the ssh console I can ping hosts on the other side through the tunnel,
My laptop behind the TTNK cannot ping hosts through the tunnel…..
To fix issue 3, I need to issue an “/etc/init.d/network restart” and after it all comes back my laptop can ping.