I am attempting to setup an IPSec protected GRE tunnel with a Cisco router. I believe the IPSec association is up, however I cannot move traffic over the tunnel.

It is not clear how to integrate the tunnel interface (gre1) with firewall-cmd; adding the interface to trusted does not appear to 'stick'.

[root@aqueduct ~]# firewall-cmd --add-interface=gre1 --zone=trusted The interface is under control of NetworkManager and already bound to 'trusted' The interface is under control of NetworkManager, setting zone to 'trusted'. [root@aqueduct ~]# firewall-cmd --list-all --zone=trusted trusted   target: ACCEPT   icmp-block-inversion: no   interfaces:  <<<< nothing ...

No traffic ever appears to be received by the GRE interface.

6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UNKNOWN qlen 1     link/gre A.B.C.D peer X.Y.W.Z     inet 10.65.1.1 peer 10.65.1.2/32 scope global gre1        valid_lft forever preferred_lft forever     inet6 fe80::200:5efe:4acc:1a64/64 scope link         valid_lft forever preferred_lft forever [root@aqueduct ~]# ifconfig gre1 gre1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1460    inet 10.65.1.1  netmask 255.255.255.255  destination 10.65.1.2    inet6 fe80::200:5efe:4acc:1a64  prefixlen 64  scopeid 0x20<link>     unspec 4A-CC-1A-64-00-00-F0-00-00-00-00-00-00-00-00-00  txqueuelen 1  (UNSPEC)    RX packets 0  bytes 0 (0.0 B)    RX errors 0  dropped 0  overruns 0  frame 0    TX packets 146  bytes 12180 (11.8 KiB)    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0