Shared IP – IPSec and GRE PPTP --
-
Quick question –-
Have a functional IPSec on one of 5 Static Addresses, now client also wants to port forward GRE and PPTP to a internal MS Windows box on that same IP. I know the PPTP is not going to be an issue but would the IPSec tunnel conflict with a GRE port forward ?
TIA --
-
IPSec and PPTP can co-exist on the same IP address.
Cisco supports something called "GRE over IPSec". Here, the GRE traffic in hidden inside the IPSec tunnel. No problem there.
However, Cisco also has a protocol which is something like "GRE over IPSec over GRE". This will probably prevent IPSec/PPTP co-existance on the same IP address. Of course, there's little reason for choosing such an excotic IPSec configuration - unless someone is fond of the Cisco way of doing things in the most complex way. ;-)
- Klaus
-
hello klaus,
I've been trying GRE over IPSEC to a cisco, but i failed always in some way: The IPSEC-tunnel was created, the GRE over IPSEC went up too, but data was always transferred via the standard-gateway WAN, which was wrong. So my question: Did you get this working in tunnel mode? The cisco at the other side wants it in tunnel mode, not transport mode. Could this be my misunderstanding that in transport mode (at pfsense side) it will work with the cisco? Could you give an example how to connect in tunnel mode? Or does the cisco has to be reconfigured eventually?
It would be nice to have a howto.
-
I know the PPTP is not going to be an issue but would the IPSec tunnel conflict with a GRE port forward ?
GRE is a protocol, not a port. Provided you permit GRE ingress, the mapping should be handled by NAPT.
I have to admit that I've never had a PPTP server behind pfSense (pfS does the VPN thing very well all by itself), but from my experience of this on Cisco AdvSec/K9 installations: Port forward 1723 from the WAN IP to the internal PPTP server and GRE pass any-to-LAN on the WAN ingress rules.
Hope that helps