I am attempting to setup an IPSec protected GRE tunnel with a Cisco router. I believe the IPSec association is up, however I cannot move traffic over the tunnel. It is not clear how to integrate the tunnel interface (gre1) with firewall-cmd; adding the interface to trusted does not appear to 'stick'. [root at aqueduct ~]# firewall-cmd --add-interface=gre1 --zone=trusted The interface is under control of NetworkManager and already bound to 'trusted' The interface is under control of NetworkManager, setting zone to 'trusted'. [root at aqueduct ~]# firewall-cmd --list-all --zone=trusted trusted target: ACCEPT icmp-block-inversion: no interfaces: <<<< nothing ... No traffic ever appears to be received by the GRE interface. 6: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1460 qdisc noqueue state UNKNOWN qlen 1 link/gre A.B.C.D peer X.Y.W.Z inet 10.65.1.1 peer 10.65.1.2/32 scope global gre1 valid_lft forever preferred_lft forever inet6 fe80::200:5efe:4acc:1a64/64 scope link valid_lft forever preferred_lft forever [root at aqueduct ~]# ifconfig gre1 gre1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1460 inet 10.65.1.1 netmask 255.255.255.255 destination 10.65.1.2 inet6 fe80::200:5efe:4acc:1a64 prefixlen 64 scopeid 0x20<link> unspec 4A-CC-1A-64-00-00-F0-00-00-00-00-00-00-00-00-00 txqueuelen 1 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 146 bytes 12180 (11.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 OpenGroupware Developer <http://www.opengroupware.us/>