VPN IPsec GRE: Cisco <-> pfSense



  • I'm a VPN Hub used to connect different partners. All partners using Fortinet, OpenBSD, Cisco, Huawei establish successfully their VPN IPSec GRE tunnel with my Cisco 2851 routers.
    Unfortunately I have 4 pfSense partners worldwide which are unable to establish phase2 on two different Cisco router.

    This is error message I have on my terminal monitor:
    Nov 16 2016 15:35:04.494 CET: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 2.2.2.2, prot= 47

    Phase 2 detail:
    #show crypto ipsec sa peer 2.2.2.2

    interface: GigabitEthernet0/0
        Crypto map tag: VPN_Map, local addr 1.1.1.1

    protected vrf: (none)
      local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
      remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
      current_peer 2.2.2.2 port 500
        PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0

    local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
        path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
        current outbound spi: 0x0(0)
        PFS (Y/N): N, DH group: none

    inbound esp sas:

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:

    outbound ah sas:

    outbound pcp sas:

    Is there any known limitation between Cisco and pfSense which can prevent such implementation?

    Thank you for your help


  • Rebel Alliance Developer Netgate

    There is not nearly enough information to speculate about a possible cause or solution. The error on the Cisco side implies the firewall is sending GRE traffic outside of IPsec. The only way that could happen is if the IPsec tunnel is not matching the traffic.

    Show the complete IPsec configuration on pfSense (you can hide/mask any keys) as well as the GRE configuration, IPsec firewall rules, IPsec logs, output of "ifconfig -a", and "netstat -rWn"



  • Thank you all for your inputs.
    For sur from the Cisco side I have a public IP and guess my remote partners as well.
    Here we are using IKEv1 which does not support Nat-T.

    I don't have control on the pfSense equipment so I have requested to my partners to join this forum to provide you with their inputs.



  • Indeed.
    But this post is not in direct line with my initial issue as the remote IP is not my router https://forum.pfsense.org/Smileys/default/wink.gif