Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense to Juniper SRX BGP over IPSEC

    IPsec
    1
    2
    1594
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clahti last edited by

      hello all:

      I am having grave difficulties getting BGP peers connected via GRE over IPSEC.  This is a pretty standard configuration in Juniper and Cisco land but I cannot figure out the pfSense side.  The other peer is Juniper SRX and I control both sides.  Attached is a network diagram of what I am trying to do.  There is one complication in this setup, the pfSense side is in VMWare VCloud Air, and you have to go through their edge gateway/firewall so the pfSense WAN interface is a private IP address statically NAT'd (1:1) to a public IP address.  The good news is I am able to get phase I and phase II UP so I believe the IPSEC tunnel settings are ok.  I cannot get the GRE endpoints to see each other so this is where I am stuck.  I am sure once the GRE endpoints can talk then BGP will also happen.  Here are my settings on the pfSense side:

      IPSEC VPN

      
      Phase 1
      
      General Information
       Disabled = unchecked
       Key Exchange version = V1
       Internet Protocol  = V4
       Interface = WAN
       Remote Gateway = 65.1.2.3
       Description = to-fwqtssc01
      
      Phase 1 Proposal (Authentication)
       Authentication Method = Mutual PSK
       Negotiation mode = Main
       My identifier = IP Address 10.1.1.1
       Peer identifier = Peer IP Address
       Pre-Shared Key = PRESHAREDKEY
      
      Phase 1 Proposal (Algorithms)
       Encryption Algorithm = 3DES
       Hash Algorithm = SHA1
       DH Group = 2
       Lifetime (Seconds) = 28800
      
      Advanced Options
       Disable rekey = unchecked
       Responder Only = checked
       NAT Traversal  = Force
       Dead Peer Detection = checked
       Delay = 10
       Max failures = 5
      
      Phase 2
      
      General Information
       Disabled = unchecked
       Mode = Tunnel IPv4
       Local Network = LAN subnet
       NAT/BINAT translation = None
       Remote Network = Network Address = 10.40.1.0/24
       Description = to-fwqtssc01
      
      Phase 2 Proposal (SA/Key Exchange)
       Protocol = ESP
       Encryption Algorithms = AES (128 bits)
       Hash Algorithms = SHA1
       PFS key group = 2
       Lifetime = 3600
      
      Advanced Configuration
       Automatically ping host = <blank></blank> 
      

      Phase I and II come up as far as I can see but at this point I cannot ping trusted networks in either direction.  I temporarily put a static route in the SRX side that says 10.30.1.0/24 sits behind st0.16 (secure tunnel interface) but where/how do I say to pfSense 10.40.1.0/24 sits behind the IPSEC tunnel?  I would have expected static routing to work at this point, but no.

      SO, moving along I deleted the static route and created a GRE tunnel, here is the pfSense side:

      Interfaces/GREs/Edit

      
      GRE Configuration
       Parent Interface: WAN
       GRE Remote Address: 65.1.2.3
       GRE tunnel local address: 192.168.1.2
       Local GRE tunnel endpoint: 192.168.1.1
       GRE tunnel subnet: 30
       Add Static Route Add an explicit static route for the remote inner tunnel address/subnet via the local tunnel address: checked
       Description: to-fwqtssc01
      
      

      Interface Assignments

      
      GRE0: GRE 65.1.2.3 (to-fwqtssc01)
      
      

      Interfaces OPT1

      
      General Configuration
       Enable: checked
       MSS: 1300
      
      Reserved Networks
       Block private networks: unchecked
       Block bogon networks: unchecked
      
      

      On the firewall rules I have added any-any-any-permit rules to IPSEC, and for WAN opened ICMP, GRE, UDP500, and ESP for 65.1.2.3.  So the IPSEC tunnel appears to be up, the Interface Status page shows GRE0 up, however the GRE endpoints cannot ping and I cannot heat up BGP to exchange routes.  Adding a static route on the SRX to the pfSense trusted network does not seem to work either.  I would be happy to provide any additional information needed to troubleshoot this issue.

      Thanks!
      ![PFSENSE TO SRX.jpg](/public/imported_attachments/1/PFSENSE TO SRX.jpg)
      ![PFSENSE TO SRX.jpg_thumb](/public/imported_attachments/1/PFSENSE TO SRX.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • C
        clahti last edited by

        small typo on the diagram, the 1:1 NAT goes to the pfsense "WAN" IP 10.1.1.1

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy