VPN IPsec GRE: Cisco <-> pfSense



  • I think I am having the same issue as yourself.
    I can get a basic GRE tunnel established and ping from my Cisco 887 to the pfSense box (10.0.10.2 to 10.0.10.1 are the tunnel IPs) but once i initiate a connection and bring up the IPSEC part I can no longer ping.
    I have also seen the same event in the log of the cisco887.



  • here is what I think is all the information you have requested.
    Thank you for looking into this.

    BTW it is possible isnt it?

    tshoot.zip


  • Rebel Alliance Developer Netgate

    It is possible, yes. Though your WAN is behind NAT, that won't work properly with transport mode IPsec as far as I'm aware. Need to have a public address on both sides of the tunnel or IPsec has no hope of working in transport mode.


  • Rebel Alliance Developer Netgate

    The WAN IP address on pfSense is 10.250.0.2 in the post above, which is not a public address. Both IPsec endpoints must have a public address for transport mode IPsec to work.



  • we might want to split this up as my config seems to be differnet from the other poster.

    Also I am running Tunnel IPv4, would that not work?


  • Rebel Alliance Developer Netgate

    It may be a different issue.

    You can't run GRE from pfSense to a remote using tunnel mode, only transport. Or if it is possible I've never seen it work. I expect the Cisco end would require transport mode for that as well.

    I'll attempt to split the thread.



  • In order to get the spare public IP on the pfsense box I am thinking of moving the outside interface into a l2 vlan.
    However my cisco ASA is doing the PPoE to the ISP I am sensing that the routing from this secondardy link isnt going to work. I could maybe use the pfsense box to do the PPoE couldnt I?