Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN IPsec GRE: Cisco <-> pfSense

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlfeu
      last edited by

      I'm a VPN Hub used to connect different partners. All partners using Fortinet, OpenBSD, Cisco, Huawei establish successfully their VPN IPSec GRE tunnel with my Cisco 2851 routers.
      Unfortunately I have 4 pfSense partners worldwide which are unable to establish phase2 on two different Cisco router.

      This is error message I have on my terminal monitor:
      Nov 16 2016 15:35:04.494 CET: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 2.2.2.2, prot= 47

      Phase 2 detail:
      #show crypto ipsec sa peer 2.2.2.2

      interface: GigabitEthernet0/0
          Crypto map tag: VPN_Map, local addr 1.1.1.1

      protected vrf: (none)
        local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
        remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
        current_peer 2.2.2.2 port 500
          PERMIT, flags={origin_is_acl,}
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts compr. failed: 0
          #pkts not decompressed: 0, #pkts decompress failed: 0
          #send errors 0, #recv errors 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
          path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
          current outbound spi: 0x0(0)
          PFS (Y/N): N, DH group: none

      inbound esp sas:

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:

      outbound ah sas:

      outbound pcp sas:

      Is there any known limitation between Cisco and pfSense which can prevent such implementation?

      Thank you for your help

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There is not nearly enough information to speculate about a possible cause or solution. The error on the Cisco side implies the firewall is sending GRE traffic outside of IPsec. The only way that could happen is if the IPsec tunnel is not matching the traffic.

        Show the complete IPsec configuration on pfSense (you can hide/mask any keys) as well as the GRE configuration, IPsec firewall rules, IPsec logs, output of "ifconfig -a", and "netstat -rWn"

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jlfeu
          last edited by

          Thank you all for your inputs.
          For sur from the Cisco side I have a public IP and guess my remote partners as well.
          Here we are using IKEv1 which does not support Nat-T.

          I don't have control on the pfSense equipment so I have requested to my partners to join this forum to provide you with their inputs.

          1 Reply Last reply Reply Quote 0
          • J
            jlfeu
            last edited by

            Indeed.
            But this post is not in direct line with my initial issue as the remote IP is not my router https://forum.pfsense.org/Smileys/default/wink.gif

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.