Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.

In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASA and a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.

In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

IPsec - ASA to pfSense

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

EncryptionAES 128-bit
Authentication methodPreshared keys
DH groupGroup 2 1024-bit field
Lifetime86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

  Table 2   Preconfiguration Checklist: IPsec/Phase-2 Attributes

EncryptionAES 128-bit
Lifetime28,800 seconds4,608,000 kB
PFS groupNone

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

Let’s start with configuring the ASA (Using ASA 8.4(2) in this example):

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 enable outside

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

PfSense Configuration

We open the URL in a Web browser to access the pfSense firewall and enter the default username/password of admin/pfsense. You may have noticed that is the WAN IP address of the pfSense firewall that indicates we are accessing it from the Internet.

pfSense Login

(click for larger picture)

After successfully logging in you reach the Status page which reports the summary state of your pfSense firewall. Go to VPN > IPsec using the menu and click add phase1 entry on the Tunnels tab. Configure ISAKMP/Phase 1 parameters as given in Table 1 and shown in the following screenshot.

pfSense ipsec Phase1(click for larger picture)

Click the Save button to save the configuration and go back to the Tunnels tab. Click add phase 2 entry to configure IPsec/Phase 2 parameters as given in Table 2 and shown in the following screenshot.

pfSense ipsec Phase2(click for larger picture)

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration. Check the Enable IPsec checkbox and press the Save button. In the end, press the Apply changes button to finalize your configuration, as shown in the following screenshot.

 VPN IPsec(click for larger picture)

Our IPsec configuration is now complete on both devices. We can generate some traffic from a host in subnet connected to Cisco ASA to a host in subnet connected to pfSense, using the ping utility. If ping is successful between the two subnets, an IPsec tunnel is likely to have established successfully. The same can be verified using command show crypto ipsec stats on Cisco ASA.

In order to check IPsec tunnel status on the pfSense firewall, go to Status > IPsec. If you see a tiny green icon in the Status column, IPsec tunnel is successfully established as shown in the following screenshot.

IPsec status(click for larger picture)


  1. Hakim K Edwards says

    I am running 8.2(5) ios on my asa 5505. I am just wondering if this config script will work on the version that I am running?

  2. Blog Admin says

    It will work. Just remove the word “ikev1″ from the ipsec configuration commands

  3. Hakim K Edwards says

    What is the ikev1 used for? At work I am using older version pfsense 1.2.3, Can we get a howto with a cisco asa 5505 ver. 8.2(5) and pfsense 1.2.3? I would like to get a vpn tunnel up and working Please.

  4. Blog Admin says

    Sorry but I don’t have at my disposal all different versions of ASA and pfsense.

  5. Hakim K Edwards says

    2 IKE Peer: my Ip Addrss
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    I have the tunnel up and running but I can not pass any traffic thru the tunnel. I did every thing in this tutorial. What am I doing wrong. Please Help!!

  6. Hakim K Edwards says

    WATER-SEWER-FW# show crypto ipsec stats

    IPsec Global Statistics
    Active tunnels: 2
    Previous tunnels: 4
    Bytes: 0
    Decompressed bytes: 0
    Packets: 28612
    Dropped packets: 0
    Replay failures: 0
    Authentications: 28612
    Authentication failures: 0
    Decryptions: 28612
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 32543
    Dropped packets: 0
    Authentications: 32543
    Authentication failures: 0
    Encryptions: 32543
    Encryption failures: 0
    Fragmentation successes: 0
    Pre-fragmentation successses: 0
    Post-fragmentation successes: 0
    Fragmentation failures: 0
    Pre-fragmentation failures: 0
    Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
    Protocol failures: 0
    Missing SA failures: 0
    System capacity failures: 0

  7. Blog Admin says

    If you have NAT in your network then you must do NAT exemption for the VPN traffic.

  8. Hakim K Edwards says

    I want to thank you. I just configured my first vpn tunnel. I got Cisco 8.2(5) to work with the Pfsense 1.2.3.

  9. Hakim Edwards says

    I’m sorry but I am trying to learn about vpn, but I working on a two vpn to pfsense box. I can ping from the cisco asa side but I can not ping for the pfsense to the cisco box. I put the nonat statement in. What am I doing wrong?

  10. TOBI says

    infinement thank you for this tutorial. My concern how how to get the complete configuration because before reaching ipsec must first configure the interface then the machines communicate first. And with that, I do not know how to configure and communicate machines.I want your help Thanks I await your response.

  11. TOBI says

    Please, here I tried to configure pfsense on vmware and Cisco ASA on GNS 3.
    But I can not ping ASA to Pfsense.
    Please help me with configuration interfaces ASA and pfsense so they can communicate.
    Thank you to you in advance.

  12. Blog Admin says


    You must create a Microsoft Loopback adapter on the Windows machine running the GNS3. Then use the “cloud” node in GNS3 in order to link the Microsoft Loopback adapter with the GNS3 ASA device. Also you must add a static route on the Windows machine in order to reach the GNS3 ASA interface via the loopback adapter.


  13. TOBI says

    Hi, to set on virtual machine is used for pfsense vmware or virtualbox.
    I tried it on vmware but ASA and Pfsense do not see by ASA ping to pfsense.
    on please, I want your help in the configuation conserne interfaces and connectivity;
    the procedure. Thank you very much for your kindness.

  14. TOBI says

    On Please I have problem to configure the tunnel between two routers. and Cisco ASA
    not ave collabord pfsense. First the ping does not go into them. Please help me out by sending me the configuration interfaces of this topology. because in this tutorial I will voice the configuration of VPN Site to site directly. I count on you Mr. Hakim Edwards

  15. Blog Admin says


    You don’t need to have a static IP on the pfsense site. You can use the “tunnel-group DefaultL2LGroup ipsec-attributes” command on the ASA firewall to terminate the pfsense site which has dynamic IP


  16. Jason Johnson says

    So does that mean I could have 1 asa and 2 pfsense boxes or will the default tunnel group only allow me to have 1 remote peer?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>