Pfsense/gre, cisco ASA 5505, IPsec



  • the setup is:

    PFsense2.0 <-> ASA 5505 <-> internet <-> VPN device
    The PFsense box also has another internet connection that the local subnet uses. The ASA public access in strictly for the VPN. Only VPN traffic is routed through the interface from the router to the ASA.

    NAT and IPSec is handled well by the ASA, the IPSec tunnel is operational and the location we are trying to connect to say everything looks good on their end, but we have to terminate a GRE tunnel on our end. I've been tasked with terminating the tunnel in the Pfsense box, this is the only option available to me. I don't know if the ASA can handle GRE tunnels, and even if it can I'm not allowed to do it there. I'm told by my superiors that it does pass the GRE. I will be allowed to setup some NAT and ACL rules on the ASA, but the tunnel must terminate in the PFsense box.

    I received a degree in network administration 2 years ago, and haven't worked in the field since. My skills and technical knowledge are rusty, but coming back to me. My experience with VPN's is nil, but i have been reading up on them, and have a grasp on general IPSec+ GRE operation.

    The company we are setting up the VPN with assures me i can terminate the GRE after the ASA. They are the network we are trying to connect to. They have setup the addressing and sent us the setup specifications. Anything at the remote site is set in stone.

    I have all the addressing i need to setup the GRE.
    Pfsense asks for:

    Parent interface: I've set this to the interface connecting to the ASA
    GRE remote address: This i have set to the remote public ip, but I'm not sure that is the correct procedure
    GRE Tunnel local address: currently have this set to 192.168.1.65 and setup a NAT rule on the ASA to translate to the assigned address for our GRE tunnel endpoint
    GRE remote tunnel address: this i have set to the assigned address we received for the GRE remote tunnel endpoint

    Now i'm stuck.

    I've looked for solution online and from I've seen i need to do some of the following, but when i try, nothing works:

    create a route-able GRE interface - wasn't ping-able
    route packets through the GRE tunnel - how?

    Don't flame me to hard, I'm a fairly intelligent individual, but I'm in slightly over my head due to my lack of VPN experience.

    Any help would be greatly appreciated


Locked