PfSense to Juniper SRX BGP over IPSEC
-
hello all:
I am having grave difficulties getting BGP peers connected via GRE over IPSEC. This is a pretty standard configuration in Juniper and Cisco land but I cannot figure out the pfSense side. The other peer is Juniper SRX and I control both sides. Attached is a network diagram of what I am trying to do. There is one complication in this setup, the pfSense side is in VMWare VCloud Air, and you have to go through their edge gateway/firewall so the pfSense WAN interface is a private IP address statically NAT'd (1:1) to a public IP address. The good news is I am able to get phase I and phase II UP so I believe the IPSEC tunnel settings are ok. I cannot get the GRE endpoints to see each other so this is where I am stuck. I am sure once the GRE endpoints can talk then BGP will also happen. Here are my settings on the pfSense side:
IPSEC VPN
Phase 1 General Information Disabled = unchecked Key Exchange version = V1 Internet Protocol = V4 Interface = WAN Remote Gateway = 65.1.2.3 Description = to-fwqtssc01 Phase 1 Proposal (Authentication) Authentication Method = Mutual PSK Negotiation mode = Main My identifier = IP Address 10.1.1.1 Peer identifier = Peer IP Address Pre-Shared Key = PRESHAREDKEY Phase 1 Proposal (Algorithms) Encryption Algorithm = 3DES Hash Algorithm = SHA1 DH Group = 2 Lifetime (Seconds) = 28800 Advanced Options Disable rekey = unchecked Responder Only = checked NAT Traversal = Force Dead Peer Detection = checked Delay = 10 Max failures = 5 Phase 2 General Information Disabled = unchecked Mode = Tunnel IPv4 Local Network = LAN subnet NAT/BINAT translation = None Remote Network = Network Address = 10.40.1.0/24 Description = to-fwqtssc01 Phase 2 Proposal (SA/Key Exchange) Protocol = ESP Encryption Algorithms = AES (128 bits) Hash Algorithms = SHA1 PFS key group = 2 Lifetime = 3600 Advanced Configuration Automatically ping host = <blank></blank>Phase I and II come up as far as I can see but at this point I cannot ping trusted networks in either direction. I temporarily put a static route in the SRX side that says 10.30.1.0/24 sits behind st0.16 (secure tunnel interface) but where/how do I say to pfSense 10.40.1.0/24 sits behind the IPSEC tunnel? I would have expected static routing to work at this point, but no.
SO, moving along I deleted the static route and created a GRE tunnel, here is the pfSense side:
Interfaces/GREs/Edit
GRE Configuration Parent Interface: WAN GRE Remote Address: 65.1.2.3 GRE tunnel local address: 192.168.1.2 Local GRE tunnel endpoint: 192.168.1.1 GRE tunnel subnet: 30 Add Static Route Add an explicit static route for the remote inner tunnel address/subnet via the local tunnel address: checked Description: to-fwqtssc01Interface Assignments
GRE0: GRE 65.1.2.3 (to-fwqtssc01)Interfaces OPT1
General Configuration Enable: checked MSS: 1300 Reserved Networks Block private networks: unchecked Block bogon networks: uncheckedOn the firewall rules I have added any-any-any-permit rules to IPSEC, and for WAN opened ICMP, GRE, UDP500, and ESP for 65.1.2.3. So the IPSEC tunnel appears to be up, the Interface Status page shows GRE0 up, however the GRE endpoints cannot ping and I cannot heat up BGP to exchange routes. Adding a static route on the SRX to the pfSense trusted network does not seem to work either. I would be happy to provide any additional information needed to troubleshoot this issue.
Thanks!
 -
small typo on the diagram, the 1:1 NAT goes to the pfsense "WAN" IP 10.1.1.1