PIM and multicast routing on IPSec tunnel



  • Here is the Cisco example config from remote party:
    ip multicast-routing
    crypto isakmp policy 2
    encr 3des
    hash md5
    authentication pre-share
    crypto isakmp key 123 address 1.7.129.10
    !
    crypto ipsec transform-set remotevpn esp-3des esp-md5-hmac
    !
    crypto map remotevpn 1 ipsec-isakmp
    set peer 1.7.129.10
    set transform-set remotevpn
    match address 100
    !
    interface Loopback0
    ip address 10.249.0.157 255.255.255.255
    !
    interface Tunnel0
    ip address 10.249.6.98 255.255.255.252
    ip pim sparse-mode
    tunnel source 10.249.0.157
    tunnel destination 10.249.254.1
    !
    interface fa0/0
    ip address 10.249.52.129 255.255.255.192
    ip pim sparse-mode
    duplex auto
    speed auto
    no cdp enable
    !
    interface fa0/1
    ip address 6.3.8.1 255.255.255.x
    crypto map remotevpn
    ip access-group 199 in
    !
    ip route 2.4.112.0 255.255.255.128 Tunnel0
    ip route 2.4.112.254 255.255.255.255 Tunnel0

    ip route 2.4.112.128 255.255.255.128 6.3.8.1
    ip route 10.249.254.1 255.255.255.255 6.3.8.1
    ip classless
    ip pim rp-address 2.4.112.254
    ip mroute 2.4.112.0 255.255.255.128  tunnel0
    ip mroute 2.4.112.254 255.255.255.255 tunnel0

    access-list 100 permit ip 10.249.52.128 0.0.0.63 2.4.112.0 0.0.0.255
    access-list 100 permit host 10.249.0.157 host 10.249.254.1

    access-list 199 permit host 10.249.254.1 host 10.249.0.157
    access-list 199 permit ip 2.4.112.0 0.0.0.255 10.249.52.128 0.0.0.63
    access-list 199 permit udp any any eq isakmp
    access-list 199 permit ahp any any
    access-list 199 permit esp any any


    Questions,

    1. how could I create loopback0 and tunnel0 interface?
    2. does pfsense support PIM and multicast routing?


    Remark,

    I am no longer being able to test this one as project is ended, I end up using Cisco router to connect instead of using pfsense.



  • PIM is NOT supported in pfsense.  tunnel0 is just a GRE tunnel and pfsense does support that. PIM is supported in FreeBSD so I'm sure it could be implemented by pfSense at a later date if they choose too.



  • PIM would be fine even IGMP Proxy handles only one up-stream … It is a problem in case of VLANs where you might have more than one sender of multicast ...


Log in to reply