IPSEC with GRE from pfsense to Cisco

_igor_

Hello to all!

I have to build a tunnel from my pfsense (1.2.3RC1 built on Sat May 30 21:39:48 EDT 2009) to a cisco Router (no PIX) and to do it complicated for me, with GRE.

My config local:

Subnet: 10.11.12.0/27
Local GW: DYN_pfsense*
Router-Address: 10.11.12.13

Config-Details I got for the remote side:

remote GW: DYN_cisco*
Remote subnet: 192.168.1.0/24

• (Dyn-DNS-Address)

interface Tunnelxx
ip unnumbered Loopbackxx
keepalive 10 3
tunnel source 10.0.5.1
tunnel destination 10.0.4.1

interface Loopbackxx
ip address 10.0.5.1 255.255.255.255

crypto isakmp key cryptokey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set prop2 esp-3des esp-sha-hmac
crypto ipsec transform-set prop1 esp-3des esp-md5-hmac

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600

crypto isakmp policy 2
encr 3des
authentication pre-share

crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
lifetime 3600

crypto isakmp policy 22
encr 3des
authentication pre-share
group 2

crypto dynamic-map rtpmap 40
Description Tunnel to pfsense
set transform-set prop1
set pfs group1
match address DYN_pfsense
reverse-route remote-peer 10.0.4.1

ip access-list extended DYN_pfsense
permit gre host 10.0.5.1 host 10.0.4.1

So on my side I set up the same:

IF: WAN
no Nat-T
local subnet: single host 10.0.4.1
remote subnet: 10.0.5.1/32
remote GW: DYN_cisco

Phase 1:
Negotiation: main
My identifier: 10.0.4.1
Enc: 3DES
Hash: MD5
DH key: 2 (1024bit)
Auth-Method: PSK
PSK: pre-share

Phase 2:
Protocol: ESP
Enc. Algorithms: 3DES
Hash-Algo: SHA1, MD5
PFS key group: 1

Ping host: 10.0.5.1

Firewall-rules added: ISAKMP, ESP, IPSEC Nat-T enabled from any to any
Firewall-IPSEC added: Source 10.0.4.1 to 10.0.5.1 any any and Source 10.0.5.1 to 10.0.4.1 any any
Created a virtual IP: 10.0.4.1/32 Interface: LAN, Type: other (is that right?)

Diags:IPSEC only shows under SPD something:
10.0.5.1 10.0.4.1 ESP 87.79.1x.x - 87.79.2x.x
10.0.4.1 10.0.5.1 ESP 87.79.2x.x - 87.79.1x.x

The IPSEC-Logs didn't show useful things, so I did start it manually.
racoon: INFO: unsupported PF_KEY message REGISTER is the only "strange" thing

racoon -ddd -F -f /var/etc/racoon.conf

2009-06-03 01:21:39: INFO: @(#)ipsec-tools 0.8-alpha20090525+natt (http://ipsec-tools.sourceforge.net)
2009-06-03 01:21:39: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
2009-06-03 01:21:39: INFO: Reading configuration from "/var/etc/racoon.conf"
2009-06-03 01:21:39: DEBUG: call pfkey_send_register for AH
2009-06-03 01:21:39: DEBUG: call pfkey_send_register for ESP
2009-06-03 01:21:39: DEBUG: call pfkey_send_register for IPCOMP
2009-06-03 01:21:39: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
2009-06-03 01:21:39: DEBUG: reading config file /var/etc/racoon.conf
2009-06-03 01:21:39: DEBUG2: lifetime = 3600
2009-06-03 01:21:39: DEBUG2: lifebyte = 0
2009-06-03 01:21:39: DEBUG2: encklen=0
2009-06-03 01:21:39: DEBUG2: p:1 t:1
2009-06-03 01:21:39: DEBUG2: 3DES-CBC(5)
2009-06-03 01:21:39: DEBUG2: MD5(1)
2009-06-03 01:21:39: DEBUG2: 1024-bit MODP group(2)
2009-06-03 01:21:39: DEBUG2: pre-shared key(1)
2009-06-03 01:21:39: DEBUG2:
2009-06-03 01:21:39: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2009-06-03 01:21:39: DEBUG: getsainfo params: loc='10.0.4.1' rmt='10.0.5.1' peer='NULL' client='NULL' id=0
2009-06-03 01:21:39: DEBUG2: parse successed.
2009-06-03 01:21:39: INFO: 10.11.12.13[500] used for NAT-T
2009-06-03 01:21:39: INFO: 10.11.12.13[500] used as isakmp port (fd=7)
2009-06-03 01:21:39: INFO: 10.11.12.13[4500] used for NAT-T
2009-06-03 01:21:39: INFO: 10.11.12.13[4500] used as isakmp port (fd=8)
2009-06-03 01:21:39: INFO: 127.0.0.1[500] used for NAT-T
2009-06-03 01:21:39: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
2009-06-03 01:21:39: INFO: 127.0.0.1[4500] used for NAT-T
2009-06-03 01:21:39: INFO: 127.0.0.1[4500] used as isakmp port (fd=10)
2009-06-03 01:21:39: INFO: 87.79.2x.x[500] used for NAT-T
2009-06-03 01:21:39: INFO: 87.79.2x.x[500] used as isakmp port (fd=11)
2009-06-03 01:21:39: INFO: 87.79.2x.x[4500] used for NAT-T
2009-06-03 01:21:39: INFO: 87.79.2x.x[4500] used as isakmp port (fd=12)
2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
2009-06-03 01:21:39: DEBUG2:
02120000 0a000100 03000000 c5430000 03000500 ff1b0000 10020000 0a702300
00000000 00000000 03000600 ff200000 10020000 0a70230d 00000000 00000000
02001200 01000100 05000000 00000000
2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
2009-06-03 01:21:39: DEBUG2:
02120000 0f000100 02000000 c5430000 03000500 ff200000 10020000 0a000504
00000000 00000000 03000600 ff200000 10020000 0a000401 00000000 00000000
07001200 02000100 08000000 00000000 28003200 02030440 10020000 574f3885
00000000 00000000 10020000 574f30bb 00000000 00000000
2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.5.4/32[0] 10.0.4.1/32[0] proto=any dir=in
2009-06-03 01:21:39: DEBUG: db :0x2853c118: 10.11.12.0/27[0] 10.11.12.13/32[0] proto=any dir=in
2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
2009-06-03 01:21:39: DEBUG2:
02120000 0a000100 01000000 c5430000 03000500 ff200000 10020000 0a70230d
00000000 00000000 03000600 ff1b0000 10020000 0a702300 00000000 00000000
02001200 01000200 06000000 00000000
2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.11.12.13/32[0] 10.11.12.0/27[0] proto=any dir=out
2009-06-03 01:21:39: DEBUG: db :0x2853c118: 10.11.12.0/27[0] 10.11.12.13/32[0] proto=any dir=in
2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.11.12.13/32[0] 10.11.12.0/27[0] proto=any dir=out
2009-06-03 01:21:39: DEBUG: db :0x2853c248: 10.0.5.1/32[0] 10.0.4.1/32[0] proto=any dir=in
2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
2009-06-03 01:21:39: DEBUG2:
02120000 0f000100 00000000 c5430000 03000500 ff200000 10020000 0a000401
00000000 00000000 03000600 ff200000 10020000 0a000504 00000000 00000000
07001200 02000200 07000000 00000000 28003200 02030340 10020000 574f30bb
00000000 00000000 10020000 574f3885 00000000 00000000
2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.4.1/32[0] 10.0.5.1/32[0] proto=any dir=out
2009-06-03 01:21:39: DEBUG: db :0x2853c118: 10.11.12.0/27[0] 10.11.12.13/32[0] proto=any dir=in
2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.4.1/32[0] 10.0.5.1/32[0] proto=any dir=out
2009-06-03 01:21:39: DEBUG: db :0x2853c248: 10.0.5.1/32[0] 10.0.4.1/32[0] proto=any dir=in
2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.4.1/32[0] 10.0.5.1/32[0] proto=any dir=out
2009-06-03 01:21:39: DEBUG: db :0x2853c378: 10.11.12.13/32[0] 10.11.12.0/27[0] proto=any dir=out

Now, at the remote side there is NO connect-Attempt seen, and what I see is that my pfsense-router doesnt call the other side.
What is going wrong? Is there anything what I did completeley wrong?
Oh, I rebooted my pfsense after config.

How do I have to set up the GRE-Tunnel right? In my opinion I have to add this "second" tunnel from my local subnet to the remote subnet. Can anyone give me a hint? Or eventually is it not possible to create a GRE-Tunnel from pfsense to cisco?
I searched thru forum, net and docs without finding anything useful (for me) about this.