Hmm,
Seems this is similar to my problem… https://forum.pfsense.org/index.php?topic=134812.msg738845#msg738845
Well, here is my, late, contribution to this thread:
1. A crypto map does the trick with transport mode.
2. Crypto map with Tunnel mode works only if a Crypto Access-list matching the one on PfSense is applied to the Cisco map (restricted to IPv4 or IPv6 range selection)
3. If an "IPsec Profile" on the Tunnel interface (Tunnel Protection..) is used instead of a Crypto Map on the Physical interface then the auto generated Crypto Access List on the Cisco selects only GRE protocol traffic instead of IP. This has no chance to match the IP protocol traffic selection on the PFSense side and this is why I believe the Tunnel Protection Cisco config fails. This can be verified on the cisco side using the commands:
"debug crypto ipsec"
"show crypto ipsec sa"
(the command "debug crypto isakmp" will show that although phase 2 attributes are accepted the proposal is rejected "No_Proposal_Chosen". The reason can be found in the output of the "debug crypto ipsec" command)
4. Not sure if Tunnel protection can work with Transport mode between Cisco and PFSense. Will be happy to try once "3" is solved
This is why I am asking for a way to configure PFSense in a way that I can select only GRE protocol traffic instead of IP as IPsec Phase2 interesting traffic. This will also make possible to narrow down the selection of packets to be encrypted by IPsec on the PFSense WAN interface to GRE and allow for WAN sourced non GRE packets to leave the interface unencrypted.
Would be nice to see this in a future update. More options in selecting IPsec interesting traffic
Until then.. Is there a way to tweak PFSense configuration file to achieve this?
Regards,
Alexandros