IPSEC with GRE from pfsense to Cisco



  • Hello to all!

    I have to build a tunnel from my pfsense (1.2.3RC1 built on Sat May 30 21:39:48 EDT 2009) to a cisco Router (no PIX) and to do it complicated for me, with GRE.

    My config local:

    Subnet: 10.11.12.0/27
    Local GW: DYN_pfsense*
    Router-Address: 10.11.12.13

    Config-Details I got for the remote side:

    remote GW: DYN_cisco*
    Remote subnet: 192.168.1.0/24

    • (Dyn-DNS-Address)

    interface Tunnelxx
    ip unnumbered Loopbackxx
    keepalive 10 3
    tunnel source 10.0.5.1
    tunnel destination 10.0.4.1

    interface Loopbackxx
    ip address 10.0.5.1 255.255.255.255

    crypto isakmp key cryptokey address 0.0.0.0 0.0.0.0

    crypto ipsec transform-set prop2 esp-3des esp-sha-hmac
    crypto ipsec transform-set prop1 esp-3des esp-md5-hmac

    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 3600

    crypto isakmp policy 2
    encr 3des
    authentication pre-share

    crypto isakmp policy 3
    encr 3des
    hash md5
    authentication pre-share
    lifetime 3600

    crypto isakmp policy 22
    encr 3des
    authentication pre-share
    group 2

    crypto dynamic-map rtpmap 40
    Description Tunnel to pfsense
    set transform-set prop1
    set pfs group1
    match address DYN_pfsense
    reverse-route remote-peer 10.0.4.1

    ip access-list extended DYN_pfsense
    permit gre host 10.0.5.1 host 10.0.4.1

    So on my side I set up the same:

    IF: WAN
    no Nat-T
    local subnet: single host 10.0.4.1
    remote subnet: 10.0.5.1/32
    remote GW: DYN_cisco

    Phase 1:
    Negotiation: main
    My identifier: 10.0.4.1
    Enc: 3DES
    Hash: MD5
    DH key: 2 (1024bit)
    Auth-Method: PSK
    PSK: pre-share

    Phase 2:
    Protocol: ESP
    Enc. Algorithms: 3DES
    Hash-Algo: SHA1, MD5
    PFS key group: 1

    Ping host: 10.0.5.1

    Firewall-rules added: ISAKMP, ESP, IPSEC Nat-T enabled from any to any
    Firewall-IPSEC added: Source 10.0.4.1 to 10.0.5.1 any any and Source 10.0.5.1 to 10.0.4.1 any any
    Created a virtual IP: 10.0.4.1/32 Interface: LAN, Type: other (is that right?)

    Diags:IPSEC only shows under SPD something:
    10.0.5.1 10.0.4.1 ESP 87.79.1x.x - 87.79.2x.x
    10.0.4.1 10.0.5.1 ESP 87.79.2x.x - 87.79.1x.x

    The IPSEC-Logs didn't show useful things, so I did start it manually.
    racoon: INFO: unsupported PF_KEY message REGISTER is the only "strange" thing

    racoon -ddd -F -f /var/etc/racoon.conf

    2009-06-03 01:21:39: INFO: @(#)ipsec-tools 0.8-alpha20090525+natt (http://ipsec-tools.sourceforge.net)
    2009-06-03 01:21:39: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    2009-06-03 01:21:39: INFO: Reading configuration from "/var/etc/racoon.conf"
    2009-06-03 01:21:39: DEBUG: call pfkey_send_register for AH
    2009-06-03 01:21:39: DEBUG: call pfkey_send_register for ESP
    2009-06-03 01:21:39: DEBUG: call pfkey_send_register for IPCOMP
    2009-06-03 01:21:39: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    2009-06-03 01:21:39: DEBUG: reading config file /var/etc/racoon.conf
    2009-06-03 01:21:39: DEBUG2: lifetime = 3600
    2009-06-03 01:21:39: DEBUG2: lifebyte = 0
    2009-06-03 01:21:39: DEBUG2: encklen=0
    2009-06-03 01:21:39: DEBUG2: p:1 t:1
    2009-06-03 01:21:39: DEBUG2: 3DES-CBC(5)
    2009-06-03 01:21:39: DEBUG2: MD5(1)
    2009-06-03 01:21:39: DEBUG2: 1024-bit MODP group(2)
    2009-06-03 01:21:39: DEBUG2: pre-shared key(1)
    2009-06-03 01:21:39: DEBUG2:
    2009-06-03 01:21:39: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    2009-06-03 01:21:39: DEBUG: getsainfo params: loc='10.0.4.1' rmt='10.0.5.1' peer='NULL' client='NULL' id=0
    2009-06-03 01:21:39: DEBUG2: parse successed.
    2009-06-03 01:21:39: INFO: 10.11.12.13[500] used for NAT-T
    2009-06-03 01:21:39: INFO: 10.11.12.13[500] used as isakmp port (fd=7)
    2009-06-03 01:21:39: INFO: 10.11.12.13[4500] used for NAT-T
    2009-06-03 01:21:39: INFO: 10.11.12.13[4500] used as isakmp port (fd=8)
    2009-06-03 01:21:39: INFO: 127.0.0.1[500] used for NAT-T
    2009-06-03 01:21:39: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
    2009-06-03 01:21:39: INFO: 127.0.0.1[4500] used for NAT-T
    2009-06-03 01:21:39: INFO: 127.0.0.1[4500] used as isakmp port (fd=10)
    2009-06-03 01:21:39: INFO: 87.79.2x.x[500] used for NAT-T
    2009-06-03 01:21:39: INFO: 87.79.2x.x[500] used as isakmp port (fd=11)
    2009-06-03 01:21:39: INFO: 87.79.2x.x[4500] used for NAT-T
    2009-06-03 01:21:39: INFO: 87.79.2x.x[4500] used as isakmp port (fd=12)
    2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
    2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
    2009-06-03 01:21:39: DEBUG2:
    02120000 0a000100 03000000 c5430000 03000500 ff1b0000 10020000 0a702300
    00000000 00000000 03000600 ff200000 10020000 0a70230d 00000000 00000000
    02001200 01000100 05000000 00000000
    2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
    2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
    2009-06-03 01:21:39: DEBUG2:
    02120000 0f000100 02000000 c5430000 03000500 ff200000 10020000 0a000504
    00000000 00000000 03000600 ff200000 10020000 0a000401 00000000 00000000
    07001200 02000100 08000000 00000000 28003200 02030440 10020000 574f3885
    00000000 00000000 10020000 574f30bb 00000000 00000000
    2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.5.4/32[0] 10.0.4.1/32[0] proto=any dir=in
    2009-06-03 01:21:39: DEBUG: db :0x2853c118: 10.11.12.0/27[0] 10.11.12.13/32[0] proto=any dir=in
    2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
    2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
    2009-06-03 01:21:39: DEBUG2:
    02120000 0a000100 01000000 c5430000 03000500 ff200000 10020000 0a70230d
    00000000 00000000 03000600 ff1b0000 10020000 0a702300 00000000 00000000
    02001200 01000200 06000000 00000000
    2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.11.12.13/32[0] 10.11.12.0/27[0] proto=any dir=out
    2009-06-03 01:21:39: DEBUG: db :0x2853c118: 10.11.12.0/27[0] 10.11.12.13/32[0] proto=any dir=in
    2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.11.12.13/32[0] 10.11.12.0/27[0] proto=any dir=out
    2009-06-03 01:21:39: DEBUG: db :0x2853c248: 10.0.5.1/32[0] 10.0.4.1/32[0] proto=any dir=in
    2009-06-03 01:21:39: DEBUG: pk_recv: retry[0] recv()
    2009-06-03 01:21:39: DEBUG: get pfkey X_SPDDUMP message
    2009-06-03 01:21:39: DEBUG2:
    02120000 0f000100 00000000 c5430000 03000500 ff200000 10020000 0a000401
    00000000 00000000 03000600 ff200000 10020000 0a000504 00000000 00000000
    07001200 02000200 07000000 00000000 28003200 02030340 10020000 574f30bb
    00000000 00000000 10020000 574f3885 00000000 00000000
    2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.4.1/32[0] 10.0.5.1/32[0] proto=any dir=out
    2009-06-03 01:21:39: DEBUG: db :0x2853c118: 10.11.12.0/27[0] 10.11.12.13/32[0] proto=any dir=in
    2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.4.1/32[0] 10.0.5.1/32[0] proto=any dir=out
    2009-06-03 01:21:39: DEBUG: db :0x2853c248: 10.0.5.1/32[0] 10.0.4.1/32[0] proto=any dir=in
    2009-06-03 01:21:39: DEBUG: sub:0xbfbfe5f4: 10.0.4.1/32[0] 10.0.5.1/32[0] proto=any dir=out
    2009-06-03 01:21:39: DEBUG: db :0x2853c378: 10.11.12.13/32[0] 10.11.12.0/27[0] proto=any dir=out

    Now, at the remote side there is NO connect-Attempt seen, and what I see is that my pfsense-router doesnt call the other side.
    What is going wrong? Is there anything what I did completeley wrong?
    Oh, I rebooted my pfsense after config.

    How do I have to set up the GRE-Tunnel right? In my opinion I have to add this "second" tunnel from my local subnet to the remote subnet. Can anyone give me a hint? Or eventually is it not possible to create a GRE-Tunnel from pfsense to cisco?
    I searched thru forum, net and docs without finding anything useful (for me) about this.


Log in to reply