Cisco GRE IPSEC Transport NAT
-
Can this be done with pfsense?
(HOST) >> (pfsense) | NAT | >> internet << | NAT | (CISCO) << (HOST)
|–----IPSEC TRANSPORT-------|
|------------GRE------------I have the GRE tunnel up and has been working for months. Putting IPSEC in transport always breaks it, and I have been staring at logs & debugs for days now. Time to ask if what I am trying to accomplish is even possible. Note that I have AH configured just for testing. I've tried just about every variation in configuration in an attempt to get a stable tunnel.
Cisco
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <secretkey>address <remote wan="" ip="">!
!
crypto ipsec transform-set TS ah-md5-hmac
mode transport
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TSinterface Tunnel1
ip address 172.16.254.9 255.255.255.252
tunnel source <local wan="" ip="">tunnel destination <remote wan="" ip="">tunnel protection ipsec profile protect-grePfsense
Relevant debug info can be provided. I wanted to keep this post short. I am on the latest 2.1-BETA1 AMD64 8.3-RELEASE-P5</remote></local></remote></secretkey>
-
BUMP.
Someone has to know… -
Did you ever get this working, I have tried without success with tunnel protection on the Cisco side, I have a sneaky suspicion that I need a crypto map on the wan interface matching the source and destination wan addresses. Which I cannot do as I need to use a loopback interface, as well as not wanting a crypto map on a major transit interface.
I was getting phase 2 policy mismatch, tempted to have a crack straight from the raccoon backend.
Will do some more labbing.
Neil
-
I have this working with Crypto-map on the WAN side protecting source / destination public addresses used for GRE. when you read other vendors GRE+IPSEC -> Cisco it seems to be the standard cfg:
IOU1#show run Building configuration... Current configuration : 2959 bytes ! ! Last configuration change at 10:29:03 UTC Wed Dec 31 2014 ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname IOU1 ! boot-start-marker boot-end-marker ! aqm-register-fnf ! vrf definition DIA ! vrf definition Transit-Cogent rd 1:1 route-target export 1:1 route-target import 1:1 ! address-family ipv4 exit-address-family ! ! no aaa new-model mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no ip icmp rate-limit unreachable ! ! ! ! ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy ! ! ip tcp synwait-time 5 ! crypto keyring Remote-Workers vrf Transit-Cogent pre-shared-key address 1.1.1.2 key cisco ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp profile Remote-Workers keyring Remote-Workers match identity address 1.1.1.2 255.255.255.255 Transit-Cogent isakmp authorization list default ! ! crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac mode transport ! ! ! crypto map Remote-Workers 10 ipsec-isakmp set peer 1.1.1.2 set transform-set Test set isakmp-profile Remote-Workers match address Remote-Workers ! ! ! ! ! interface Tunnel0 ip address 10.173.0.1 255.255.255.252 tunnel source 1.1.1.1 tunnel destination 1.1.1.2 tunnel vrf Transit-Cogent ! interface Ethernet0/0 vrf forwarding Transit-Cogent ip address 1.1.1.1 255.255.255.252 ip access-group Public in crypto map Remote-Workers ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! interface Ethernet1/0 no ip address shutdown ! interface Ethernet1/1 no ip address shutdown ! interface Ethernet1/2 no ip address shutdown ! interface Ethernet1/3 no ip address shutdown ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! interface Serial3/0 no ip address shutdown serial restart-delay 0 ! interface Serial3/1 no ip address shutdown serial restart-delay 0 ! interface Serial3/2 no ip address shutdown serial restart-delay 0 ! interface Serial3/3 no ip address shutdown serial restart-delay 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ip access-list extended Public permit udp any any eq isakmp permit esp any any deny ip any any log ip access-list extended Remote-Workers permit ip host 1.1.1.1 host 1.1.1.2 ! !IOU1#show run Building configuration... Current configuration : 2959 bytes ! ! Last configuration change at 10:29:03 UTC Wed Dec 31 2014 ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname IOU1 ! boot-start-marker boot-end-marker ! aqm-register-fnf ! vrf definition DIA ! vrf definition Transit-Cogent rd 1:1 route-target export 1:1 route-target import 1:1 ! address-family ipv4 exit-address-family ! ! no aaa new-model mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no ip icmp rate-limit unreachable ! ! ! ! ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy ! ! ip tcp synwait-time 5 ! crypto keyring Remote-Workers vrf Transit-Cogent pre-shared-key address 1.1.1.2 key cisco ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp profile Remote-Workers keyring Remote-Workers match identity address 1.1.1.2 255.255.255.255 Transit-Cogent isakmp authorization list default ! ! crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac mode transport ! ! ! crypto map Remote-Workers 10 ipsec-isakmp set peer 1.1.1.2 set transform-set Test set isakmp-profile Remote-Workers match address Remote-Workers ! ! ! ! ! interface Tunnel0 ip address 10.173.0.1 255.255.255.252 tunnel source 1.1.1.1 tunnel destination 1.1.1.2 tunnel vrf Transit-Cogent ! interface Ethernet0/0 vrf forwarding Transit-Cogent ip address 1.1.1.1 255.255.255.252 ip access-group Public in crypto map Remote-Workers ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! interface Ethernet1/0 no ip address shutdown ! interface Ethernet1/1 no ip address shutdown ! interface Ethernet1/2 no ip address shutdown ! interface Ethernet1/3 no ip address shutdown ! interface Serial2/0 no ip address shutdown serial restart-delay 0 ! interface Serial2/1 no ip address shutdown serial restart-delay 0 ! interface Serial2/2 no ip address shutdown serial restart-delay 0 ! interface Serial2/3 no ip address shutdown serial restart-delay 0 ! interface Serial3/0 no ip address shutdown serial restart-delay 0 ! interface Serial3/1 no ip address shutdown serial restart-delay 0 ! interface Serial3/2 no ip address shutdown serial restart-delay 0 ! interface Serial3/3 no ip address shutdown serial restart-delay 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ip access-list extended Public permit udp any any eq isakmp permit esp any any deny ip any any log ip access-list extended Remote-Workers permit ip host 1.1.1.1 host 1.1.1.2 ! ! ! !
Most people can ignore the VRF syntax,
Will now have another crack at Tunnel protection,
Regards neil
![PFSENSE GRE CFG.png](/public/imported_attachments/1/PFSENSE GRE CFG.png)
![PFSENSE GRE CFG.png_thumb](/public/imported_attachments/1/PFSENSE GRE CFG.png_thumb)
![PFSENSE IPSEC Ph 1.png](/public/imported_attachments/1/PFSENSE IPSEC Ph 1.png)
![PFSENSE IPSEC Ph 1.png_thumb](/public/imported_attachments/1/PFSENSE IPSEC Ph 1.png_thumb)
![PFSENSE IPSEC Ph 2.png](/public/imported_attachments/1/PFSENSE IPSEC Ph 2.png)
![PFSENSE IPSEC Ph 2.png_thumb](/public/imported_attachments/1/PFSENSE IPSEC Ph 2.png_thumb) -
The above method seems the only way to configure IPSEC GRE,
Might try again with 2.2 & Strongswan
Neil
-
The above method seems the only way to configure IPSEC GRE,
Sadly, 2/3 screenshots are totally useless due to extremely poor resulution :(
-
The above method seems the only way to configure IPSEC GRE,
Sadly, 2/3 screenshots are totally useless due to extremely poor resulution :(
Lol didnt check that, it actually took more time getting and cropping those due to using a VM than the lab…... doh
will boot up and use the snip tool tomorrow,
Neil
-
This should work properly on 2.2 mostly due to TRANSPORT mode fixes in kernel.
-
Hmm,
Seems this is similar to my problem… https://forum.pfsense.org/index.php?topic=134812.msg738845#msg738845
Well, here is my, late, contribution to this thread:
1. A crypto map does the trick with transport mode.
2. Crypto map with Tunnel mode works only if a Crypto Access-list matching the one on PfSense is applied to the Cisco map (restricted to IPv4 or IPv6 range selection)
3. If an "IPsec Profile" on the Tunnel interface (Tunnel Protection..) is used instead of a Crypto Map on the Physical interface then the auto generated Crypto Access List on the Cisco selects only GRE protocol traffic instead of IP. This has no chance to match the IP protocol traffic selection on the PFSense side and this is why I believe the Tunnel Protection Cisco config fails. This can be verified on the cisco side using the commands:
"debug crypto ipsec"
"show crypto ipsec sa"
(the command "debug crypto isakmp" will show that although phase 2 attributes are accepted the proposal is rejected "No_Proposal_Chosen". The reason can be found in the output of the "debug crypto ipsec" command)
4. Not sure if Tunnel protection can work with Transport mode between Cisco and PFSense. Will be happy to try once "3" is solvedThis is why I am asking for a way to configure PFSense in a way that I can select only GRE protocol traffic instead of IP as IPsec Phase2 interesting traffic. This will also make possible to narrow down the selection of packets to be encrypted by IPsec on the PFSense WAN interface to GRE and allow for WAN sourced non GRE packets to leave the interface unencrypted.
Would be nice to see this in a future update. More options in selecting IPsec interesting traffic
Until then.. Is there a way to tweak PFSense configuration file to achieve this?
Regards,
Alexandros