HOW TO configure GRE over IPSEC between 2 PFSENSE boxes
-
Hello,
I try to figure out how to configure GRE over IPSEC between two PFSENSE 2.0 boxes.
The problem is following:
I have 2 PFSENSE 2.0 boxes with more then 20 different subnets behind. I don't want to configure IPSEC with 400 phase 2 pairs on every box.The easiest way is to configure GRE tunnel over IPSEC (i want to protect traffic between two locations) and configure 20 routes
on every side. i can't find any site or post or any information how to configure following setup in pfSense 2.0 -
Any One????? ???
-
Haven't done IPSEC in pfsense yet, but isn't it possible to tell local and remote networks in each end of tunnel. with a single tunnel
-
no one configured GRE over IPSEC?
-
Like I said previously that I haven't done, but I would test it like this
Please know this: I don't have equipment or even possibility to test this answer.
Add 2 Aliases vpnlocals and vpnremotes or what ever you like to call those. And add corresponding networks over there add also gateway ip's
After that create firewall rule to WAN with these kind of settings:Interface: WAN
Protocol: GRE or ANY
Source: VPNREMOTES
Destination: VPNLOCALS -
It depends on what you mean by "GRE over IPsec", really. IPsec in tunnel mode is really using the GRE protocol under the hood, but with its SPD matching and whatnot going on.
Now if you want to make your own separate GRE tunnel with IPsec, it works fine the way I've tested it out:
Setup IPsec in transport mode between the WANs of the pfSense boxes
Setup a GRE (or GIF) tunnel between the WAN IPs of the pfSense boxesAnd then do whatever else you like.
Or if they're both pfSense, ditch IPsec and use OpenVPN and route that way. If you do a PKI site-to-site hub and spoke style setup you only need to setup the routes on the main router and they can be pushed to the clients.
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29
-
i'll try it tomorrow in lab. basically i want to setup GRE over ipsec between pfSense 2.0 and Juniper ssg. as i wrote i have more then 20 subnets behind every FW and tunnel setup is almost impossible and this is why i need to find way how to set it.
-
Then you should be able to do that with IPsec in transport mode + a GRE tunnel + some routes. No idea how that would work on the Juniper side, but pfSense should handle it fine.
