Cisco GRE IPSEC Transport NAT



  • Can this be done with pfsense?

    (HOST) >> (pfsense) | NAT | >> internet << | NAT | (CISCO) << (HOST)
                                |–----IPSEC TRANSPORT-------|
                                  |------------GRE------------

    I have the GRE tunnel up and has been working for months. Putting IPSEC in transport always breaks it, and I have been staring at logs & debugs for days now. Time to ask if what I am trying to accomplish is even possible. Note that I have AH configured just for testing. I've tried just about every variation in configuration in an attempt to get a stable tunnel.

    Cisco
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key <secretkey>address <remote wan="" ip="">!
    !
    crypto ipsec transform-set TS ah-md5-hmac
    mode transport
    !
    crypto ipsec profile protect-gre
    set security-association lifetime seconds 86400
    set transform-set TS

    interface Tunnel1
    ip address 172.16.254.9 255.255.255.252
    tunnel source <local wan="" ip="">tunnel destination <remote wan="" ip="">tunnel protection ipsec profile protect-gre

    Pfsense

    Relevant debug info can be provided. I wanted to keep this post short. I am on the latest 2.1-BETA1 AMD64 8.3-RELEASE-P5</remote></local></remote></secretkey>



  • BUMP.
    Someone has to know…



  • Did you ever get this working, I have tried without success with tunnel protection on the Cisco side, I have a sneaky suspicion that I need a crypto map on the wan interface matching the source and destination wan addresses. Which I  cannot do as I need to use a loopback interface, as well as not wanting a crypto map on a major transit interface.

    I was getting phase 2 policy mismatch, tempted to have a crack straight from the raccoon backend.

    Will do some more labbing.

    Neil



  • I have this working with Crypto-map on the WAN side protecting source / destination public addresses used for GRE. when you read other vendors GRE+IPSEC -> Cisco it seems to be the standard cfg:

    IOU1#show run
    Building configuration...
    
    Current configuration : 2959 bytes
    !
    ! Last configuration change at 10:29:03 UTC Wed Dec 31 2014
    !
    version 15.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname IOU1
    !
    boot-start-marker
    boot-end-marker
    !
    aqm-register-fnf
    !
    vrf definition DIA
    !
    vrf definition Transit-Cogent
     rd 1:1
     route-target export 1:1
     route-target import 1:1
     !
     address-family ipv4
     exit-address-family
    !
    !
    no aaa new-model
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no ip icmp rate-limit unreachable
    !
    !
    !
    !
    !
    !
    
    !
    !
    !
    !
    no ip domain lookup
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    redundancy
    !
    !
    ip tcp synwait-time 5
    !
    crypto keyring Remote-Workers vrf Transit-Cogent
      pre-shared-key address 1.1.1.2 key cisco
    !
    !
    !
    !
    crypto isakmp policy 10
     encr aes 256
     authentication pre-share
     group 5
    crypto isakmp profile Remote-Workers
       keyring Remote-Workers
       match identity address 1.1.1.2 255.255.255.255 Transit-Cogent
       isakmp authorization list default
    !
    !
    crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac
     mode transport
    !
    !
    !
    crypto map Remote-Workers 10 ipsec-isakmp
     set peer 1.1.1.2
     set transform-set Test
     set isakmp-profile Remote-Workers
     match address Remote-Workers
    !
    !
    !
    !
    !
    interface Tunnel0
     ip address 10.173.0.1 255.255.255.252
     tunnel source 1.1.1.1
     tunnel destination 1.1.1.2
     tunnel vrf Transit-Cogent
    !
    interface Ethernet0/0
     vrf forwarding Transit-Cogent
     ip address 1.1.1.1 255.255.255.252
     ip access-group Public in
     crypto map Remote-Workers
    !
    interface Ethernet0/1
     no ip address
     shutdown
    !
    interface Ethernet0/2
     no ip address
     shutdown
    !
    interface Ethernet0/3
     no ip address
     shutdown
    !
    interface Ethernet1/0
     no ip address
     shutdown
    !
    interface Ethernet1/1
     no ip address
     shutdown
    !
    interface Ethernet1/2
     no ip address
     shutdown
    !
    interface Ethernet1/3
     no ip address
     shutdown
    !
    interface Serial2/0
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/0
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended Public
     permit udp any any eq isakmp
     permit esp any any
     deny   ip any any log
    ip access-list extended Remote-Workers
     permit ip host 1.1.1.1 host 1.1.1.2
    !
    !IOU1#show run
    Building configuration...
    
    Current configuration : 2959 bytes
    !
    ! Last configuration change at 10:29:03 UTC Wed Dec 31 2014
    !
    version 15.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname IOU1
    !
    boot-start-marker
    boot-end-marker
    !
    aqm-register-fnf
    !
    vrf definition DIA
    !
    vrf definition Transit-Cogent
     rd 1:1
     route-target export 1:1
     route-target import 1:1
     !
     address-family ipv4
     exit-address-family
    !
    !
    no aaa new-model
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no ip icmp rate-limit unreachable
    !
    !
    !
    !
    !
    !
    
    !
    !
    !
    !
    no ip domain lookup
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    redundancy
    !
    !
    ip tcp synwait-time 5
    !
    crypto keyring Remote-Workers vrf Transit-Cogent
      pre-shared-key address 1.1.1.2 key cisco
    !
    !
    !
    !
    crypto isakmp policy 10
     encr aes 256
     authentication pre-share
     group 5
    crypto isakmp profile Remote-Workers
       keyring Remote-Workers
       match identity address 1.1.1.2 255.255.255.255 Transit-Cogent
       isakmp authorization list default
    !
    !
    crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac
     mode transport
    !
    !
    !
    crypto map Remote-Workers 10 ipsec-isakmp
     set peer 1.1.1.2
     set transform-set Test
     set isakmp-profile Remote-Workers
     match address Remote-Workers
    !
    !
    !
    !
    !
    interface Tunnel0
     ip address 10.173.0.1 255.255.255.252
     tunnel source 1.1.1.1
     tunnel destination 1.1.1.2
     tunnel vrf Transit-Cogent
    !
    interface Ethernet0/0
     vrf forwarding Transit-Cogent
     ip address 1.1.1.1 255.255.255.252
     ip access-group Public in
     crypto map Remote-Workers
    !
    interface Ethernet0/1
     no ip address
     shutdown
    !
    interface Ethernet0/2
     no ip address
     shutdown
    !
    interface Ethernet0/3
     no ip address
     shutdown
    !
    interface Ethernet1/0
     no ip address
     shutdown
    !
    interface Ethernet1/1
     no ip address
     shutdown
    !
    interface Ethernet1/2
     no ip address
     shutdown
    !
    interface Ethernet1/3
     no ip address
     shutdown
    !
    interface Serial2/0
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/0
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial3/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended Public
     permit udp any any eq isakmp
     permit esp any any
     deny   ip any any log
    ip access-list extended Remote-Workers
     permit ip host 1.1.1.1 host 1.1.1.2
    !
    !
    !
    !
    
    

    Most people can ignore the VRF syntax,

    Will now have another crack at Tunnel protection,

    Regards neil

    ![PFSENSE GRE CFG.png](/public/imported_attachments/1/PFSENSE GRE CFG.png)
    ![PFSENSE GRE CFG.png_thumb](/public/imported_attachments/1/PFSENSE GRE CFG.png_thumb)
    ![PFSENSE IPSEC Ph 1.png](/public/imported_attachments/1/PFSENSE IPSEC Ph 1.png)
    ![PFSENSE IPSEC Ph 1.png_thumb](/public/imported_attachments/1/PFSENSE IPSEC Ph 1.png_thumb)
    ![PFSENSE IPSEC Ph 2.png](/public/imported_attachments/1/PFSENSE IPSEC Ph 2.png)
    ![PFSENSE IPSEC Ph 2.png_thumb](/public/imported_attachments/1/PFSENSE IPSEC Ph 2.png_thumb)



  • The above method seems the only way to configure IPSEC GRE,

    Might try again with 2.2 & Strongswan

    Neil


  • Banned

    @Sacrilegious:

    The above method seems the only way to configure IPSEC GRE,

    Sadly, 2/3 screenshots are totally useless due to extremely poor resulution :(



  • @doktornotor:

    @Sacrilegious:

    The above method seems the only way to configure IPSEC GRE,

    Sadly, 2/3 screenshots are totally useless due to extremely poor resulution :(

    Lol didnt check that, it actually took more time getting and cropping those due to using a VM than the lab…... doh

    will boot up and use the snip tool tomorrow,

    Neil



  • This should work properly on 2.2 mostly due to TRANSPORT mode fixes in kernel.



  • Hmm,

    Seems this is similar to my problem… https://forum.pfsense.org/index.php?topic=134812.msg738845#msg738845

    Well, here is my, late, contribution to this thread:

    1. A crypto map does the trick with transport mode.
    2. Crypto map with Tunnel mode works only if a Crypto Access-list matching the one on PfSense is applied to the Cisco map (restricted to IPv4 or IPv6 range selection)
    3. If an "IPsec Profile" on the Tunnel interface (Tunnel Protection..) is used instead of a Crypto Map on the Physical interface then the auto generated Crypto Access List on the Cisco selects only GRE protocol traffic instead of IP. This has no chance to match the IP protocol traffic selection on the PFSense side and this is why I believe the Tunnel Protection Cisco config fails. This can be verified on the cisco side using the commands:
    "debug crypto ipsec"
    "show crypto ipsec sa"
    (the command "debug crypto isakmp" will show that although phase 2 attributes are accepted the proposal is rejected "No_Proposal_Chosen". The reason can be found in the output of the "debug crypto ipsec" command)
    4. Not sure if Tunnel protection can work with Transport mode between Cisco and PFSense. Will be happy to try once "3" is solved

    This is why I am asking for a way to configure PFSense in a way that I can select only GRE protocol traffic instead of IP as IPsec Phase2 interesting traffic.  This will also make possible to narrow  down the selection of packets to be encrypted by IPsec on the PFSense WAN interface to GRE and allow for WAN sourced non GRE packets to leave the interface unencrypted.

    Would be nice to see this in a future update. More options in selecting IPsec interesting traffic

    Until then..  Is there a way to tweak PFSense configuration file to achieve this?

    Regards,

    Alexandros


Log in to reply