Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.

In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASA and a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of www.pfsense.org. At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.

In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

IPsec - ASA to pfSense

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Authentication method Preshared keys
DH group Group 2 1024-bit field
Lifetime 86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

  Table 2   Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Lifetime 28,800 seconds4,608,000 kB
Mode Tunnel
PFS group None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

Let’s start with configuring the ASA (Using ASA 8.4(2) in this example):

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside

tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

PfSense Configuration

We open the URL http://173.199.183.2 in a Web browser to access the pfSense firewall and enter the default username/password of admin/pfsense. You may have noticed that 173.199.183.2 is the WAN IP address of the pfSense firewall that indicates we are accessing it from the Internet.

pfSense Login

(click for larger picture)

After successfully logging in you reach the Status page which reports the summary state of your pfSense firewall. Go to VPN > IPsec using the menu and click add phase1 entry on the Tunnels tab. Configure ISAKMP/Phase 1 parameters as given in Table 1 and shown in the following screenshot.

pfSense ipsec Phase1(click for larger picture)

Click the Save button to save the configuration and go back to the Tunnels tab. Click add phase 2 entry to configure IPsec/Phase 2 parameters as given in Table 2 and shown in the following screenshot.

pfSense ipsec Phase2(click for larger picture)

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration. Check the Enable IPsec checkbox and press the Save button. In the end, press the Apply changes button to finalize your configuration, as shown in the following screenshot.

 VPN IPsec(click for larger picture)

Our IPsec configuration is now complete on both devices. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to Cisco ASA to a host in subnet 10.0.0.2/24 connected to pfSense, using the ping utility. If ping is successful between the two subnets, an IPsec tunnel is likely to have established successfully. The same can be verified using command show crypto ipsec stats on Cisco ASA.

In order to check IPsec tunnel status on the pfSense firewall, go to Status > IPsec. If you see a tiny green icon in the Status column, IPsec tunnel is successfully established as shown in the following screenshot.

IPsec status(click for larger picture)

 

Get Free Cisco Tutorials – Sign Up Below

Fill out your e-mail address below to receive free
Cisco Configuration Examples and Tutorials
(Your email is safe with us)
My Email Address is:

Comments

  1. Hakim K Edwards says:

    I am running 8.2(5) ios on my asa 5505. I am just wondering if this config script will work on the version that I am running?

  2. Blog Admin says:

    It will work. Just remove the word “ikev1″ from the ipsec configuration commands

  3. Hakim K Edwards says:

    What is the ikev1 used for? At work I am using older version pfsense 1.2.3, Can we get a howto with a cisco asa 5505 ver. 8.2(5) and pfsense 1.2.3? I would like to get a vpn tunnel up and working Please.

  4. Blog Admin says:

    Hakim,
    Sorry but I don’t have at my disposal all different versions of ASA and pfsense.

  5. Hakim K Edwards says:

    2 IKE Peer: 173.0.0.0 my Ip Addrss
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    WATER-SEWER-FW#
    I have the tunnel up and running but I can not pass any traffic thru the tunnel. I did every thing in this tutorial. What am I doing wrong. Please Help!!

  6. Hakim K Edwards says:

    WATER-SEWER-FW# show crypto ipsec stats

    IPsec Global Statistics
    ———————–
    Active tunnels: 2
    Previous tunnels: 4
    Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 28612
    Dropped packets: 0
    Replay failures: 0
    Authentications: 28612
    Authentication failures: 0
    Decryptions: 28612
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
    Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 32543
    Dropped packets: 0
    Authentications: 32543
    Authentication failures: 0
    Encryptions: 32543
    Encryption failures: 0
    Fragmentation successes: 0
    Pre-fragmentation successses: 0
    Post-fragmentation successes: 0
    Fragmentation failures: 0
    Pre-fragmentation failures: 0
    Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
    Protocol failures: 0
    Missing SA failures: 0
    System capacity failures: 0

  7. Blog Admin says:

    If you have NAT in your network then you must do NAT exemption for the VPN traffic.

  8. Hakim K Edwards says:

    I want to thank you. I just configured my first vpn tunnel. I got Cisco 8.2(5) to work with the Pfsense 1.2.3.

  9. Blog Admin says:

    Great job Hakim,

    I’m glad I helped…

  10. Hakim Edwards says:

    I’m sorry but I am trying to learn about vpn, but I working on a two vpn to pfsense box. I can ping from the cisco asa side but I can not ping for the pfsense to the cisco box. I put the nonat statement in. What am I doing wrong?

  11. Hello,
    infinement thank you for this tutorial. My concern how how to get the complete configuration because before reaching ipsec must first configure the interface then the machines communicate first. And with that, I do not know how to configure and communicate machines.I want your help Thanks I await your response.

  12. Hello,
    Please, here I tried to configure pfsense on vmware and Cisco ASA on GNS 3.
    But I can not ping ASA to Pfsense.
    Please help me with configuration interfaces ASA and pfsense so they can communicate.
    Thank you to you in advance.

  13. Blog Admin says:

    Tobi,

    You must create a Microsoft Loopback adapter on the Windows machine running the GNS3. Then use the “cloud” node in GNS3 in order to link the Microsoft Loopback adapter with the GNS3 ASA device. Also you must add a static route on the Windows machine in order to reach the GNS3 ASA interface via the loopback adapter.

    Harris

  14. Hi, to set on virtual machine is used for pfsense vmware or virtualbox.
    I tried it on vmware but ASA and Pfsense do not see by ASA ping to pfsense.
    on please, I want your help in the configuation conserne interfaces and connectivity;
    the procedure. Thank you very much for your kindness.

  15. On Please I have problem to configure the tunnel between two routers. and Cisco ASA
    not ave collabord pfsense. First the ping does not go into them. Please help me out by sending me the configuration interfaces of this topology. because in this tutorial I will voice the configuration of VPN Site to site directly. I count on you Mr. Hakim Edwards

  16. Jason Johnson says:

    Do you need to have static ips at both sides?

    I only have an static IP on my ASA side.

  17. Blog Admin says:

    Jason,

    You don’t need to have a static IP on the pfsense site. You can use the “tunnel-group DefaultL2LGroup ipsec-attributes” command on the ASA firewall to terminate the pfsense site which has dynamic IP

    Harris

  18. Jason Johnson says:

    So does that mean I could have 1 asa and 2 pfsense boxes or will the default tunnel group only allow me to have 1 remote peer?

  19. Jason,
    Yes, you could have 2 pfsense boxes and 1 ASA.

Speak Your Mind

*