Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PIM and multicast routing on IPSec tunnel

    Scheduled Pinned Locked Moved IPsec
    5 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lkthomas
      last edited by

      Here is the Cisco example config from remote party:
      ip multicast-routing
      crypto isakmp policy 2
      encr 3des
      hash md5
      authentication pre-share
      crypto isakmp key 123 address 1.7.129.10
      !
      crypto ipsec transform-set remotevpn esp-3des esp-md5-hmac
      !
      crypto map remotevpn 1 ipsec-isakmp
      set peer 1.7.129.10
      set transform-set remotevpn
      match address 100
      !
      interface Loopback0
      ip address 10.249.0.157 255.255.255.255
      !
      interface Tunnel0
      ip address 10.249.6.98 255.255.255.252
      ip pim sparse-mode
      tunnel source 10.249.0.157
      tunnel destination 10.249.254.1
      !
      interface fa0/0
      ip address 10.249.52.129 255.255.255.192
      ip pim sparse-mode
      duplex auto
      speed auto
      no cdp enable
      !
      interface fa0/1
      ip address 6.3.8.1 255.255.255.x
      crypto map remotevpn
      ip access-group 199 in
      !
      ip route 2.4.112.0 255.255.255.128 Tunnel0
      ip route 2.4.112.254 255.255.255.255 Tunnel0

      ip route 2.4.112.128 255.255.255.128 6.3.8.1
      ip route 10.249.254.1 255.255.255.255 6.3.8.1
      ip classless
      ip pim rp-address 2.4.112.254
      ip mroute 2.4.112.0 255.255.255.128  tunnel0
      ip mroute 2.4.112.254 255.255.255.255 tunnel0

      access-list 100 permit ip 10.249.52.128 0.0.0.63 2.4.112.0 0.0.0.255
      access-list 100 permit host 10.249.0.157 host 10.249.254.1

      access-list 199 permit host 10.249.254.1 host 10.249.0.157
      access-list 199 permit ip 2.4.112.0 0.0.0.255 10.249.52.128 0.0.0.63
      access-list 199 permit udp any any eq isakmp
      access-list 199 permit ahp any any
      access-list 199 permit esp any any

      Questions,

      1. how could I create loopback0 and tunnel0 interface?
      2. does pfsense support PIM and multicast routing?

      Remark,

      I am no longer being able to test this one as project is ended, I end up using Cisco router to connect instead of using pfsense.

      1 Reply Last reply Reply Quote 0
      • D
        djamp42
        last edited by

        PIM is NOT supported in pfsense.  tunnel0 is just a GRE tunnel and pfsense does support that. PIM is supported in FreeBSD so I'm sure it could be implemented by pfSense at a later date if they choose too.

        1 Reply Last reply Reply Quote 0
        • C
          coliflower
          last edited by

          PIM would be fine even IGMP Proxy handles only one up-stream … It is a problem in case of VLANs where you might have more than one sender of multicast ...

          APU1D4 | pfSense 2.3.4 (amd64) | LAGG (LACP) <-> HP-1820-24G | pfBlockerNG | Suricata | WAN DOWN/UP 100/10

          1 Reply Last reply Reply Quote 0
          • W
            Worrellassa
            last edited by

            Das PIM-DM-Protokoll verwendet einen Flood- und Prune-Mechanismus zum Aufbau von Multicast-Bäumen.
            Dieser Mechanismus funktioniert in einer Umgebung, in der die Gruppenmitglieder dicht über alle Netze verteilt sind.
            Wenn die Gruppenmitglieder über verschiedene Netze verteilt sind, wird der größte Teil der Bandbreite durch Fluten belegt, was zu einer schlechten Leistung führen kann.

            1 Reply Last reply Reply Quote 0
            • W
              Worrellassa
              last edited by Worrellassa

              Wenn du an der Arbeit anderer Agenturen zweifelst, dann verlass dich auf dein Bauchgefühl. In der Regel hat die Intuition immer Recht. Die Suche hat in unserer Firma auch eher länger gedauert, dass muss ich zugeben. Am Ende haben wir uns für die Webagentur https://treestones.ch/agentur entschieden. Seitdem ist das Thema endlich vom Tisch. Die machen einen super Job und wir können uns auf die anderen Dinge konzentrieren. Im Moment gehen ja die Preise unglaublich in die Höhle, wenn es um Sprit geht. Wir müssen unbedingt eine Strategie für unsere Firmenwagen entwerfen.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.