Configuring GRE Tunnel with IPsec and Dynamic Routing OSPF

Hello there,

im a new player in your community and i struggling with some problems with the dynamic routing on the ipfire over IPSec with GRE.

I do describe my problem i have done a dev setup with 3 IPFire with 2 IPSec VPNs they are working fine with static routing works good but we have in our company a much higher scalling and i want to setup the GRE Tunnel with OSPF as Routing Protocol,
I have here a little knowing how it works but i dont know what i have to configure in the bird.conf or in other config exactly to get it work.

At the moment i have setup 3 Subnets with | | on the Green Interfaces on the Red Interfaces i have the Public IPs from my Provider. I have on each site for development 1 client with 10.10.X.3 the Firewall is using 10.10.X.2 Gateway is the 10.10.X.1

I have at the moment no rule setup for anything else.
On clientsite i have done the routing with static routes.
My Bird config is like this:

protocol kernel {

        ipv4 {
                export all;     # Default is export none
#       persist;                # Don't remove routes on BIRD shutdown

protocol device {

protocol direct{
#       ipv4;

# OSPF example, both OSPFv2 and OSPFv3 are supported
   protocol ospf {
        ipv4 {
                import all;
                export where source = RTS_STATIC;
        area 0 {
                interface "red*" {
                        type broadcast;         # Detected by default
                        cost 10;                # Interface metric
                        hello 5;                # Default hello perid 10 is too long
                interface "gre*" {
                        type ptp;               # PtP mode, avoids DR selection
                        cost 100;               # Interface metric
                        hello 5;                # Default hello perid 10 is too long
                interface "dummy0" {
                        stub;                   # Stub interface, just propagate it

Do someone has some advice for me?

Hello Philipp,

that sounds like a great project to work on, but I am not entirely sure what the network setup is going to look like in the end.

You certainly do not want to involve the RED interface in this because you only want to talk through your VPN tunnels I suppose.

I would recommend to get some commercial support for this to have it properly reviewed, set up and tested: Subscriptions - Lightning Wire Labs Store