IPsec Interesting traffic problem



  • Hello,

    I have run into a situation that has bothered me for some time now and having narrowed down to what I believe is the problem I would like some help.

    I am trying to setup an IPsec protected GRE Tunnel between PFSense and a Cisco Router.
    I have success when I apply the crypto map on the cisco physical interface, but this is not what I want.

    I would like to have the IPsec profile on the GRE Tunnel itself, what cisco calls Tunnel Protection feature, which is more flexible in terms of routing and leaves the physical interface unrestricted.
    What is different with this option is that you do not get to select the ACL for Ipsec  interesting traffic yourself but it is, somehow, auto generated, because in this setup the interesting traffic is very specific. It is simply GRE traffic that uses the source and destination IP of the GRE Tunnel interface (traffic first gets encapsulated to GRE and then gets encrypted)

    Configuring PFSense to match the cisco's setup I can reach to the point that I have to set the Interesting traffic for IPsec Phase2 and there is my problem.

    Having tested this and extensively debuged on a lab my understanding is that I have to select only GRE  traffic on the Phase2 interesting traffic but my choises are limitted to IPv4 and IPv6. This results to Cisco deciding that there is no matching traffic selected on the other side of the IPsec tunnel and fails to establish the VPN.

    So here is the question:
    Is there a way that I can select only GRE traffic for my phase2 IPsec.

    Having found no answer about this around the internet my hopes lie with this forum.

    Thank you in advance!


Log in to reply