Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Interesting traffic problem

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 544 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      al_tzamp
      last edited by

      Hello,

      I have run into a situation that has bothered me for some time now and having narrowed down to what I believe is the problem I would like some help.

      I am trying to setup an IPsec protected GRE Tunnel between PFSense and a Cisco Router.
      I have success when I apply the crypto map on the cisco physical interface, but this is not what I want.

      I would like to have the IPsec profile on the GRE Tunnel itself, what cisco calls Tunnel Protection feature, which is more flexible in terms of routing and leaves the physical interface unrestricted.
      What is different with this option is that you do not get to select the ACL for Ipsec  interesting traffic yourself but it is, somehow, auto generated, because in this setup the interesting traffic is very specific. It is simply GRE traffic that uses the source and destination IP of the GRE Tunnel interface (traffic first gets encapsulated to GRE and then gets encrypted)

      Configuring PFSense to match the cisco's setup I can reach to the point that I have to set the Interesting traffic for IPsec Phase2 and there is my problem.

      Having tested this and extensively debuged on a lab my understanding is that I have to select only GRE  traffic on the Phase2 interesting traffic but my choises are limitted to IPv4 and IPv6. This results to Cisco deciding that there is no matching traffic selected on the other side of the IPsec tunnel and fails to establish the VPN.

      So here is the question:
      Is there a way that I can select only GRE traffic for my phase2 IPsec.

      Having found no answer about this around the internet my hopes lie with this forum.

      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.