Passing GRE tunnels over IPSec

Question

I'm trying to connect Cisco routers behind XG firewalls via an IPSec tunnel and overlay that a GRE tunnel so as to use a routing protocol (example EIGRP, OSPF, etc). 
 
 Design would look something like this with ETH0 being connected to internal LAN and ETH1 connected to MPLS provider. Overlay that a GRE tunnel and force that out the XS appliances.

Have been working with support. Can ping icmp traffic across router Tunnel12 but cant' get the tunnels to come UP on the Cisco routers. This is because XG's won't forward GRE traffic--simply can't. 
 I've been told only GRE support is limited to XG to XG traffic and have been referenced https://community.sophos.com/kb/en-us/123290 . Have been given https://community.sophos.com/kb/en-us/12329 1if you want to access mulitcast over GRE/IPSec tunnel. 
 How would you recommend designing a connection from an internal Cisco router across IPSec XG to XG to internal Cisco router so as to use routing protocols on the Cisco routers?

sachingurung · Accepted Answer

Hi Matt, 
 I verified the information provided by you, in the present scenario, we found that the GRE traffic was not generated through XG appliance. GRE works on IP Protocol number 47, which isn't supported on IPSec unless the GRE encapsulation happens through the XG itself. You could either configure GRE over IPSec on the XG device if your setup permits it. Please refer to, Sophos XG Firewall: How to forward GRE traffic over IPSec . 
 Thanks,