PfSense to Juniper SRX BGP over IPSEC

clahti

hello all:

I am having grave difficulties getting BGP peers connected via GRE over IPSEC. This is a pretty standard configuration in Juniper and Cisco land but I cannot figure out the pfSense side. The other peer is Juniper SRX and I control both sides. Attached is a network diagram of what I am trying to do. There is one complication in this setup, the pfSense side is in VMWare VCloud Air, and you have to go through their edge gateway/firewall so the pfSense WAN interface is a private IP address statically NAT'd (1:1) to a public IP address. The good news is I am able to get phase I and phase II UP so I believe the IPSEC tunnel settings are ok. I cannot get the GRE endpoints to see each other so this is where I am stuck. I am sure once the GRE endpoints can talk then BGP will also happen. Here are my settings on the pfSense side:

IPSEC VPN


Phase 1

General Information
 Disabled = unchecked
 Key Exchange version = V1
 Internet Protocol  = V4
 Interface = WAN
 Remote Gateway = 65.1.2.3
 Description = to-fwqtssc01

Phase 1 Proposal (Authentication)
 Authentication Method = Mutual PSK
 Negotiation mode = Main
 My identifier = IP Address 10.1.1.1
 Peer identifier = Peer IP Address
 Pre-Shared Key = PRESHAREDKEY

Phase 1 Proposal (Algorithms)
 Encryption Algorithm = 3DES
 Hash Algorithm = SHA1
 DH Group = 2
 Lifetime (Seconds) = 28800

Advanced Options
 Disable rekey = unchecked
 Responder Only = checked
 NAT Traversal  = Force
 Dead Peer Detection = checked
 Delay = 10
 Max failures = 5

Phase 2

General Information
 Disabled = unchecked
 Mode = Tunnel IPv4
 Local Network = LAN subnet
 NAT/BINAT translation = None
 Remote Network = Network Address = 10.40.1.0/24
 Description = to-fwqtssc01

Phase 2 Proposal (SA/Key Exchange)
 Protocol = ESP
 Encryption Algorithms = AES (128 bits)
 Hash Algorithms = SHA1
 PFS key group = 2
 Lifetime = 3600

Advanced Configuration
 Automatically ping host = <blank></blank>

Phase I and II come up as far as I can see but at this point I cannot ping trusted networks in either direction. I temporarily put a static route in the SRX side that says 10.30.1.0/24 sits behind st0.16 (secure tunnel interface) but where/how do I say to pfSense 10.40.1.0/24 sits behind the IPSEC tunnel? I would have expected static routing to work at this point, but no.

SO, moving along I deleted the static route and created a GRE tunnel, here is the pfSense side:

Interfaces/GREs/Edit


GRE Configuration
 Parent Interface: WAN
 GRE Remote Address: 65.1.2.3
 GRE tunnel local address: 192.168.1.2
 Local GRE tunnel endpoint: 192.168.1.1
 GRE tunnel subnet: 30
 Add Static Route Add an explicit static route for the remote inner tunnel address/subnet via the local tunnel address: checked
 Description: to-fwqtssc01

Interface Assignments


GRE0: GRE 65.1.2.3 (to-fwqtssc01)

Interfaces OPT1


General Configuration
 Enable: checked
 MSS: 1300

Reserved Networks
 Block private networks: unchecked
 Block bogon networks: unchecked

On the firewall rules I have added any-any-any-permit rules to IPSEC, and for WAN opened ICMP, GRE, UDP500, and ESP for 65.1.2.3. So the IPSEC tunnel appears to be up, the Interface Status page shows GRE0 up, however the GRE endpoints cannot ping and I cannot heat up BGP to exchange routes. Adding a static route on the SRX to the pfSense trusted network does not seem to work either. I would be happy to provide any additional information needed to troubleshoot this issue.

Thanks!
![PFSENSE TO SRX.jpg](/public/imported_attachments/1/PFSENSE TO SRX.jpg)
![PFSENSE TO SRX.jpg_thumb](/public/imported_attachments/1/PFSENSE TO SRX.jpg_thumb)

clahti

small typo on the diagram, the 1:1 NAT goes to the pfsense "WAN" IP 10.1.1.1