Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cisco GRE IPSEC Transport NAT

    Scheduled Pinned Locked Moved IPsec
    9 Posts 5 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xtropx
      last edited by

      Can this be done with pfsense?

      (HOST) >> (pfsense) | NAT | >> internet << | NAT | (CISCO) << (HOST)
                                  |–----IPSEC TRANSPORT-------|
                                    |------------GRE------------

      I have the GRE tunnel up and has been working for months. Putting IPSEC in transport always breaks it, and I have been staring at logs & debugs for days now. Time to ask if what I am trying to accomplish is even possible. Note that I have AH configured just for testing. I've tried just about every variation in configuration in an attempt to get a stable tunnel.

      Cisco
      crypto isakmp policy 1
      encr 3des
      hash md5
      authentication pre-share
      group 2
      crypto isakmp key <secretkey>address <remote wan="" ip="">!
      !
      crypto ipsec transform-set TS ah-md5-hmac
      mode transport
      !
      crypto ipsec profile protect-gre
      set security-association lifetime seconds 86400
      set transform-set TS

      interface Tunnel1
      ip address 172.16.254.9 255.255.255.252
      tunnel source <local wan="" ip="">tunnel destination <remote wan="" ip="">tunnel protection ipsec profile protect-gre

      Pfsense

      Relevant debug info can be provided. I wanted to keep this post short. I am on the latest 2.1-BETA1 AMD64 8.3-RELEASE-P5</remote></local></remote></secretkey>

      Regards,

      xtropx

      1 Reply Last reply Reply Quote 0
      • X
        xtropx
        last edited by

        BUMP.
        Someone has to know…

        Regards,

        xtropx

        1 Reply Last reply Reply Quote 0
        • S
          Sacrilegious
          last edited by

          Did you ever get this working, I have tried without success with tunnel protection on the Cisco side, I have a sneaky suspicion that I need a crypto map on the wan interface matching the source and destination wan addresses. Which I  cannot do as I need to use a loopback interface, as well as not wanting a crypto map on a major transit interface.

          I was getting phase 2 policy mismatch, tempted to have a crack straight from the raccoon backend.

          Will do some more labbing.

          Neil

          1 Reply Last reply Reply Quote 0
          • S
            Sacrilegious
            last edited by

            I have this working with Crypto-map on the WAN side protecting source / destination public addresses used for GRE. when you read other vendors GRE+IPSEC -> Cisco it seems to be the standard cfg:

            IOU1#show run
            Building configuration...
            
            Current configuration : 2959 bytes
            !
            ! Last configuration change at 10:29:03 UTC Wed Dec 31 2014
            !
            version 15.4
            service timestamps debug datetime msec
            service timestamps log datetime msec
            no service password-encryption
            !
            hostname IOU1
            !
            boot-start-marker
            boot-end-marker
            !
            aqm-register-fnf
            !
            vrf definition DIA
            !
            vrf definition Transit-Cogent
             rd 1:1
             route-target export 1:1
             route-target import 1:1
             !
             address-family ipv4
             exit-address-family
            !
            !
            no aaa new-model
            mmi polling-interval 60
            no mmi auto-configure
            no mmi pvc
            mmi snmp-timeout 180
            no ip icmp rate-limit unreachable
            !
            !
            !
            !
            !
            !
            
            !
            !
            !
            !
            no ip domain lookup
            ip cef
            no ipv6 cef
            !
            multilink bundle-name authenticated
            !
            !
            !
            !
            !
            !
            !
            !
            !
            redundancy
            !
            !
            ip tcp synwait-time 5
            !
            crypto keyring Remote-Workers vrf Transit-Cogent
              pre-shared-key address 1.1.1.2 key cisco
            !
            !
            !
            !
            crypto isakmp policy 10
             encr aes 256
             authentication pre-share
             group 5
            crypto isakmp profile Remote-Workers
               keyring Remote-Workers
               match identity address 1.1.1.2 255.255.255.255 Transit-Cogent
               isakmp authorization list default
            !
            !
            crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac
             mode transport
            !
            !
            !
            crypto map Remote-Workers 10 ipsec-isakmp
             set peer 1.1.1.2
             set transform-set Test
             set isakmp-profile Remote-Workers
             match address Remote-Workers
            !
            !
            !
            !
            !
            interface Tunnel0
             ip address 10.173.0.1 255.255.255.252
             tunnel source 1.1.1.1
             tunnel destination 1.1.1.2
             tunnel vrf Transit-Cogent
            !
            interface Ethernet0/0
             vrf forwarding Transit-Cogent
             ip address 1.1.1.1 255.255.255.252
             ip access-group Public in
             crypto map Remote-Workers
            !
            interface Ethernet0/1
             no ip address
             shutdown
            !
            interface Ethernet0/2
             no ip address
             shutdown
            !
            interface Ethernet0/3
             no ip address
             shutdown
            !
            interface Ethernet1/0
             no ip address
             shutdown
            !
            interface Ethernet1/1
             no ip address
             shutdown
            !
            interface Ethernet1/2
             no ip address
             shutdown
            !
            interface Ethernet1/3
             no ip address
             shutdown
            !
            interface Serial2/0
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial2/1
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial2/2
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial2/3
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/0
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/1
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/2
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/3
             no ip address
             shutdown
             serial restart-delay 0
            !
            ip forward-protocol nd
            !
            !
            no ip http server
            no ip http secure-server
            !
            ip access-list extended Public
             permit udp any any eq isakmp
             permit esp any any
             deny   ip any any log
            ip access-list extended Remote-Workers
             permit ip host 1.1.1.1 host 1.1.1.2
            !
            !IOU1#show run
            Building configuration...
            
            Current configuration : 2959 bytes
            !
            ! Last configuration change at 10:29:03 UTC Wed Dec 31 2014
            !
            version 15.4
            service timestamps debug datetime msec
            service timestamps log datetime msec
            no service password-encryption
            !
            hostname IOU1
            !
            boot-start-marker
            boot-end-marker
            !
            aqm-register-fnf
            !
            vrf definition DIA
            !
            vrf definition Transit-Cogent
             rd 1:1
             route-target export 1:1
             route-target import 1:1
             !
             address-family ipv4
             exit-address-family
            !
            !
            no aaa new-model
            mmi polling-interval 60
            no mmi auto-configure
            no mmi pvc
            mmi snmp-timeout 180
            no ip icmp rate-limit unreachable
            !
            !
            !
            !
            !
            !
            
            !
            !
            !
            !
            no ip domain lookup
            ip cef
            no ipv6 cef
            !
            multilink bundle-name authenticated
            !
            !
            !
            !
            !
            !
            !
            !
            !
            redundancy
            !
            !
            ip tcp synwait-time 5
            !
            crypto keyring Remote-Workers vrf Transit-Cogent
              pre-shared-key address 1.1.1.2 key cisco
            !
            !
            !
            !
            crypto isakmp policy 10
             encr aes 256
             authentication pre-share
             group 5
            crypto isakmp profile Remote-Workers
               keyring Remote-Workers
               match identity address 1.1.1.2 255.255.255.255 Transit-Cogent
               isakmp authorization list default
            !
            !
            crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac
             mode transport
            !
            !
            !
            crypto map Remote-Workers 10 ipsec-isakmp
             set peer 1.1.1.2
             set transform-set Test
             set isakmp-profile Remote-Workers
             match address Remote-Workers
            !
            !
            !
            !
            !
            interface Tunnel0
             ip address 10.173.0.1 255.255.255.252
             tunnel source 1.1.1.1
             tunnel destination 1.1.1.2
             tunnel vrf Transit-Cogent
            !
            interface Ethernet0/0
             vrf forwarding Transit-Cogent
             ip address 1.1.1.1 255.255.255.252
             ip access-group Public in
             crypto map Remote-Workers
            !
            interface Ethernet0/1
             no ip address
             shutdown
            !
            interface Ethernet0/2
             no ip address
             shutdown
            !
            interface Ethernet0/3
             no ip address
             shutdown
            !
            interface Ethernet1/0
             no ip address
             shutdown
            !
            interface Ethernet1/1
             no ip address
             shutdown
            !
            interface Ethernet1/2
             no ip address
             shutdown
            !
            interface Ethernet1/3
             no ip address
             shutdown
            !
            interface Serial2/0
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial2/1
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial2/2
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial2/3
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/0
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/1
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/2
             no ip address
             shutdown
             serial restart-delay 0
            !
            interface Serial3/3
             no ip address
             shutdown
             serial restart-delay 0
            !
            ip forward-protocol nd
            !
            !
            no ip http server
            no ip http secure-server
            !
            ip access-list extended Public
             permit udp any any eq isakmp
             permit esp any any
             deny   ip any any log
            ip access-list extended Remote-Workers
             permit ip host 1.1.1.1 host 1.1.1.2
            !
            !
            !
            !
            
            

            Most people can ignore the VRF syntax,

            Will now have another crack at Tunnel protection,

            Regards neil

            ![PFSENSE GRE CFG.png](/public/imported_attachments/1/PFSENSE GRE CFG.png)
            ![PFSENSE GRE CFG.png_thumb](/public/imported_attachments/1/PFSENSE GRE CFG.png_thumb)
            ![PFSENSE IPSEC Ph 1.png](/public/imported_attachments/1/PFSENSE IPSEC Ph 1.png)
            ![PFSENSE IPSEC Ph 1.png_thumb](/public/imported_attachments/1/PFSENSE IPSEC Ph 1.png_thumb)
            ![PFSENSE IPSEC Ph 2.png](/public/imported_attachments/1/PFSENSE IPSEC Ph 2.png)
            ![PFSENSE IPSEC Ph 2.png_thumb](/public/imported_attachments/1/PFSENSE IPSEC Ph 2.png_thumb)

            1 Reply Last reply Reply Quote 0
            • S
              Sacrilegious
              last edited by

              The above method seems the only way to configure IPSEC GRE,

              Might try again with 2.2 & Strongswan

              Neil

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                @Sacrilegious:

                The above method seems the only way to configure IPSEC GRE,

                Sadly, 2/3 screenshots are totally useless due to extremely poor resulution :(

                1 Reply Last reply Reply Quote 0
                • S
                  Sacrilegious
                  last edited by

                  @doktornotor:

                  @Sacrilegious:

                  The above method seems the only way to configure IPSEC GRE,

                  Sadly, 2/3 screenshots are totally useless due to extremely poor resulution :(

                  Lol didnt check that, it actually took more time getting and cropping those due to using a VM than the lab…... doh

                  will boot up and use the snip tool tomorrow,

                  Neil

                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    This should work properly on 2.2 mostly due to TRANSPORT mode fixes in kernel.

                    1 Reply Last reply Reply Quote 0
                    • A
                      al_tzamp
                      last edited by

                      Hmm,

                      Seems this is similar to my problem… https://forum.pfsense.org/index.php?topic=134812.msg738845#msg738845

                      Well, here is my, late, contribution to this thread:

                      1. A crypto map does the trick with transport mode.
                      2. Crypto map with Tunnel mode works only if a Crypto Access-list matching the one on PfSense is applied to the Cisco map (restricted to IPv4 or IPv6 range selection)
                      3. If an "IPsec Profile" on the Tunnel interface (Tunnel Protection..) is used instead of a Crypto Map on the Physical interface then the auto generated Crypto Access List on the Cisco selects only GRE protocol traffic instead of IP. This has no chance to match the IP protocol traffic selection on the PFSense side and this is why I believe the Tunnel Protection Cisco config fails. This can be verified on the cisco side using the commands:
                      "debug crypto ipsec"
                      "show crypto ipsec sa"
                      (the command "debug crypto isakmp" will show that although phase 2 attributes are accepted the proposal is rejected "No_Proposal_Chosen". The reason can be found in the output of the "debug crypto ipsec" command)
                      4. Not sure if Tunnel protection can work with Transport mode between Cisco and PFSense. Will be happy to try once "3" is solved

                      This is why I am asking for a way to configure PFSense in a way that I can select only GRE protocol traffic instead of IP as IPsec Phase2 interesting traffic.  This will also make possible to narrow  down the selection of packets to be encrypted by IPsec on the PFSense WAN interface to GRE and allow for WAN sourced non GRE packets to leave the interface unencrypted.

                      Would be nice to see this in a future update. More options in selecting IPsec interesting traffic

                      Until then..  Is there a way to tweak PFSense configuration file to achieve this?

                      Regards,

                      Alexandros

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.