Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Encrypted GRE tunnel from Pfsense to Cisco Router

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      agroshong
      last edited by

      Hello,

      I work for a MSP, we use GRE encrypted VPN tunnels to our customers to provide support and access to there Hosted servers, we have been Cisco focused, but are now getting customers asking if they can use Pfsense. We use iBGP to peer with our customers to provide ISP failover. I am having an issue encrypting a GRE tunnel between our Cisco router's and a test PFsense box. I am able to configure the GRE and iBGP peer on Pfsense but am unable to find a compatible ipsec configuration to match the Cisco router's.

      Cisco Router Config
      GigabitEthernet0/0/0 = 172.16.1.25 (substitute IP Address)

      crypto isakmp policy 14
      encr aes 256
      hash sha256
      authentication pre-share
      group 14

      crypto isakmp key *************** address 172.16.1.10 (substitute IP Address)

      crypto ipsec transform-set aes256sha-trans esp-aes 256 esp-sha-hmac
      mode tunnel

      crypto ipsec profile PROTECT_GRE
      set transform-set aes256sha-trans

      interface Tunnel180
      description *** Test Tunnel to Pfsense ***
      ip address 10.180.90.1 255.255.255.252
      ip mtu 1400
      ip tcp adjust-mss 1360
      tunnel source GigabitEthernet0/0/0
      tunnel destination 172.16.1.10 (substitute IP Address)
      tunnel protection ipsec profile PROTECT_GRE

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @agroshong
        last edited by Konstanti

        @agroshong

        Hello
        try using when setting up phase 2
        mode transport
        on both sides of the tunnel

        con2000{1975}:  INSTALLED, TRANSPORT, reqid 56, ESP SPIs: caa90ec3_i c23ff48d_o
con2000{1975}:  AES_CBC_256/HMAC_SHA2_256_128, 17826138 bytes_i (18420 pkts, 2s ago), 3228172 bytes_o (17177 pkts, 2s ago), rekeying in 14 minutes
con2000{1975}:   79.XXX.XXX.XXX/32|/0[gre] === 37.XXX.XX.XX/32|/0[gre]

        5c2dc09a-e734-4703-b41b-a8eba691fffa-image.png

        conn con2000
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = no
	
	rekey = yes
	installpolicy = yes
	type = transport
	dpdaction = restart
	dpddelay = 10s
	dpdtimeout = 60s
	auto = route
        1 Reply Last reply Reply Quote 0
        • A
          agroshong
          last edited by

          @Konstanti

          Thank you! that was the combo i needed the VPN is up and stable. Now I just need to figure out why my BGP neighbor relationship is flapping :)

          1 Reply Last reply Reply Quote 0
          • J
            jadedmia
            last edited by

            Can you post your pfSense config by chance? I am trying to do the same thing, but have trouble with the pfSense GRE tunnel coming up. Thanks!

            1 Reply Last reply Reply Quote 0
            • A
              agroshong
              last edited by

              I am sorry, I no longer have this up and running.

              1 Reply Last reply Reply Quote 0
              • J
                jadedmia
                last edited by

                No worries. Thanks anyways!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.