Networks Training

Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go.

In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASA and a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially turning it into a flexible security appliance. You can obtain your copy of pfSense from the Downloads section of www.pfsense.org. At the time of this writing, the latest available release is 2.0.2 and the same has been used in this tutorial.

In this article, we will focus on site-to-site IPsec implementation between a Cisco ASA and a pfSense firewall, as shown in Figure 1 below.

Figure 1  Cisco ASA to pfSense IPsec Implementation (Click for Larger Picture)

IPsec - ASA to pfSense

We will start with a preconfiguration checklist that will serve as a reference for configuration of IPSEC on both devices. ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.

Table 1   Preconfiguration Checklist: ISAKMP/Phase-1 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Authentication method Preshared keys
DH group Group 2 1024-bit field
Lifetime 86,400 seconds

We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.

MORE READING:  Site to Site IPSEC VPN Between Cisco Router and Juniper Security Gateway

  Table 2   Preconfiguration Checklist: IPsec/Phase-2 Attributes

Attribute Value
Encryption AES 128-bit
Hashing SHA-1
Lifetime 28,800 seconds4,608,000 kB
Mode Tunnel
PFS group None

Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.

ASA Configuration

Let’s start with configuring the ASA (Using ASA 8.4(2) in this example):

! IPsec ISAKMP Phase 1

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
exit
!
crypto ikev1 enable outside

tunnel-group 173.199.183.2 type ipsec-l2l
tunnel-group 173.199.183.2 ipsec-attributes
ikev1 pre-shared-key Cisc0

! IPsec Phase 2

crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
!
access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 173.199.183.2
crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
crypto map outside_map interface outside

PfSense Configuration

We open the URL http://173.199.183.2 in a Web browser to access the pfSense firewall and enter the default username/password of admin/pfsense. You may have noticed that 173.199.183.2 is the WAN IP address of the pfSense firewall that indicates we are accessing it from the Internet.

pfSense Login

(click for larger picture)

After successfully logging in you reach the Status page which reports the summary state of your pfSense firewall. Go to VPN > IPsec using the menu and click add phase1 entry on the Tunnels tab. Configure ISAKMP/Phase 1 parameters as given in Table 1 and shown in the following screenshot.

MORE READING:  Overview of Cisco ASA VPN Technologies

pfSense ipsec Phase1(click for larger picture)

Click the Save button to save the configuration and go back to the Tunnels tab. Click add phase 2 entry to configure IPsec/Phase 2 parameters as given in Table 2 and shown in the following screenshot.

pfSense ipsec Phase2(click for larger picture)

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration. Check the Enable IPsec checkbox and press the Save button. In the end, press the Apply changes button to finalize your configuration, as shown in the following screenshot.

 VPN IPsec(click for larger picture)

Our IPsec configuration is now complete on both devices. We can generate some traffic from a host in subnet 192.168.1.0/24 connected to Cisco ASA to a host in subnet 10.0.0.2/24 connected to pfSense, using the ping utility. If ping is successful between the two subnets, an IPsec tunnel is likely to have established successfully. The same can be verified using command show crypto ipsec stats on Cisco ASA.

In order to check IPsec tunnel status on the pfSense firewall, go to Status > IPsec. If you see a tiny green icon in the Status column, IPsec tunnel is successfully established as shown in the following screenshot.

IPsec status(click for larger picture)

Filed Under: Cisco VPN

Comments

  1. I am running 8.2(5) ios on my asa 5505. I am just wondering if this config script will work on the version that I am running?

  2. It will work. Just remove the word “ikev1” from the ipsec configuration commands

  3. What is the ikev1 used for? At work I am using older version pfsense 1.2.3, Can we get a howto with a cisco asa 5505 ver. 8.2(5) and pfsense 1.2.3? I would like to get a vpn tunnel up and working Please.

  4. Hakim,
    Sorry but I don’t have at my disposal all different versions of ASA and pfsense.

  5. 2 IKE Peer: 173.0.0.0 my Ip Addrss
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    WATER-SEWER-FW#
    I have the tunnel up and running but I can not pass any traffic thru the tunnel. I did every thing in this tutorial. What am I doing wrong. Please Help!!

  6. WATER-SEWER-FW# show crypto ipsec stats

    IPsec Global Statistics
    ———————–
    Active tunnels: 2
    Previous tunnels: 4
    Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 28612
    Dropped packets: 0
    Replay failures: 0
    Authentications: 28612
    Authentication failures: 0
    Decryptions: 28612
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
    Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 32543
    Dropped packets: 0
    Authentications: 32543
    Authentication failures: 0
    Encryptions: 32543
    Encryption failures: 0
    Fragmentation successes: 0
    Pre-fragmentation successses: 0
    Post-fragmentation successes: 0
    Fragmentation failures: 0
    Pre-fragmentation failures: 0
    Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
    Protocol failures: 0
    Missing SA failures: 0
    System capacity failures: 0

  7. If you have NAT in your network then you must do NAT exemption for the VPN traffic.

  8. I want to thank you. I just configured my first vpn tunnel. I got Cisco 8.2(5) to work with the Pfsense 1.2.3.

  10. I’m sorry but I am trying to learn about vpn, but I working on a two vpn to pfsense box. I can ping from the cisco asa side but I can not ping for the pfsense to the cisco box. I put the nonat statement in. What am I doing wrong?

  11. Hello,
    infinement thank you for this tutorial. My concern how how to get the complete configuration because before reaching ipsec must first configure the interface then the machines communicate first. And with that, I do not know how to configure and communicate machines.I want your help Thanks I await your response.

  12. Hello,
    Please, here I tried to configure pfsense on vmware and Cisco ASA on GNS 3.
    But I can not ping ASA to Pfsense.
    Please help me with configuration interfaces ASA and pfsense so they can communicate.
    Thank you to you in advance.

  13. Tobi,

    You must create a Microsoft Loopback adapter on the Windows machine running the GNS3. Then use the “cloud” node in GNS3 in order to link the Microsoft Loopback adapter with the GNS3 ASA device. Also you must add a static route on the Windows machine in order to reach the GNS3 ASA interface via the loopback adapter.

    Harris

  14. Hi, to set on virtual machine is used for pfsense vmware or virtualbox.
    I tried it on vmware but ASA and Pfsense do not see by ASA ping to pfsense.
    on please, I want your help in the configuation conserne interfaces and connectivity;
    the procedure. Thank you very much for your kindness.

  15. On Please I have problem to configure the tunnel between two routers. and Cisco ASA
    not ave collabord pfsense. First the ping does not go into them. Please help me out by sending me the configuration interfaces of this topology. because in this tutorial I will voice the configuration of VPN Site to site directly. I count on you Mr. Hakim Edwards

  17. Jason,

    You don’t need to have a static IP on the pfsense site. You can use the “tunnel-group DefaultL2LGroup ipsec-attributes” command on the ASA firewall to terminate the pfsense site which has dynamic IP

    Harris

  18. So does that mean I could have 1 asa and 2 pfsense boxes or will the default tunnel group only allow me to have 1 remote peer?

  20. Hi Harris

    I wonder if you could help me with a working config for an ASA 5515-X VPN with multiple subnets behind the ASA needing to be tunneled. I have three subnets behind the ASA that need to be connected to a single host IP behind the peer on the other side of the VPN tunnel.
    I cannot get this to work, I thought all I need is to have an object group for all the networks behind the ASA, and a single NAT for that object group.

    Please can you show me what I am doing wrong? I love your books, they helped me get the ASA working after two days of reading!

  22. Hi Harris..

    I created an object-group with network objects for the three subnets I want to VPN on the ASA’s side, and an object group for the single host on the other side.

    Here you go

    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400

    tunnel-group 1.1.1.50 type ipsec-l2l
    tunnel-group 1.1.1.50 ipsec-attributes
    ikev1 pre-shared-key *****

    access-list ciscoSophosVPN-list extended permit ip object-group ciscoSophosVPN-src object-group ciscoSophosVPN-dest

    crypto ipsec ikev1 transform-set ciscoSophosVPNset esp-3des esp-md5-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto map ciscoSophosVPN_map 20 match address ciscoSophosVPN-list
    crypto map ciscoSophosVPN_map 20 set pfs
    crypto map ciscoSophosVPN_map 20 set peer 1.1.1.50
    crypto map ciscoSophosVPN_map 20 set ikev1 transform-set ciscoSophosVPNset
    crypto map ciscoSophosVPN_map interface outside

    nat (inside,outside) source static ciscoSophosVPN-src ciscoSophosVPN-src destination static ciscoSophosVPN-dest ciscoSophosVPN-dest no-proxy-arp route-lookup

    object-group network ciscoSophosVPN-src
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
    network-object 192.168.0.0 255.255.255.0
    object-group network ciscoSophosVPN-dest
    network-object 1.1.1.52 255.255.255.255

  23. ok, the exact opposite (mirror access list) containing the same network subnets must be configured on the other site as well.
    Run also two commands for troubleshooting:

    show crypto isakmp sa
    show crypto ipsec sa

  24. So there’s nothing the matter with my configuration?
    I cant get the tunnel to form with the other end (a Sophos UTM) as it always complains of INVALID_ID_INFORMATION.

  29. I am trying to create a site to site IPSec tunnel between my pfSense and a Cisco ASA firewall / router.

    On the pfSense side, LAN IP range is 10.3.0.0/14. pfSense has 3 interfaces:

    LAN–>10.0.0.1/14
    WAN–>x.x.48.78/24
    OPT1–>10.139.136.178/29
    On the Cisco side, their private IP range is 10.248.65.0/22

    IPSec phase 1

    Key Exchange version = V1
    Internet Protocol = IPv4
    Interface = x.x.48.78
    Remote Gateway = [public IP of Cisco]
    Authentication Method = Mutual PSK
    Negotiation mode = Main
    My identifier = My IP address
    Peer identifier = Peer IP address
    Pre-Shared Key = [secret]
    Encryption Algorithm = 3DES (yes I know it’s weak)
    Hash Algorithm = SHA1
    DH Group = 2
    Lifetime (Seconds) = 28800
    NAT Traversal = Auto
    Dead Peer Detection = Enable DOD
    Delay = 10
    Max failures = 5
    IPSec phase 2

    Mode = Tunnel IPv4
    Local Network = LAN subnet
    NAT/BINAT translation = None
    Remote Network = 10.248.65.0/22
    Protocol = ESP
    Encryption Algorithms = 3DES
    Hash Algorithms = SHA1
    PFS key group = 2
    Lifetime = 3600.

    When I try to establish the tunnel from pfSense, for a second connection is established and then dropped.
    When I look into IPSec logs, I see something like this (bottom to top):

    07[IKE] deleting IKE_SA con1000[16] between x.x.48.78[x.x.48.78]…[public IP of Cisco][[public IP of Cisco]]
    07[IKE] received DELETE for IKE_SA con1000[16]
    07[ENC] parsed INFORMATIONAL_V1 request 3634372393 [ HASH D ]
    07[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (84 bytes)
    11[IKE] received INVALID_ID_INFORMATION error notify
    11[ENC] parsed INFORMATIONAL_V1 request 2181947022 [ HASH N(INVAL_ID) ]
    11[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (692 bytes)
    11[ENC] received fragment #2, reassembling fragmented IKE message
    11[IKE] INFORMATIONAL_V1 request with message ID 2181947022 processing failed
    11[IKE] ignore malformed INFORMATIONAL request
    11[IKE] integrity check failed
    11[ENC] could not decrypt payloads
    11[ENC] payload type FRAGMENT was not encrypted
    11[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (216 bytes)
    07[ENC] received fragment #1, waiting for complete IKE message
    07[IKE] INFORMATIONAL_V1 request with message ID 2181947022 processing failed
    07[IKE] ignore malformed INFORMATIONAL request
    07[IKE] integrity check failed
    07[ENC] could not decrypt payloads
    07[ENC] payload type FRAGMENT was not encrypted
    07[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (548 bytes)
    11[NET] sending packet: from x.x.48.78[500] to [public IP of Cisco][500] (176 bytes)
    11[NET] sending packet: from x.x.48.78[500] to [public IP of Cisco][500] (548 bytes)
    11[ENC] generating ID_PROT request 0 [ FRAG(2/2) ]
    11[ENC] generating ID_PROT request 0 [ FRAG(1) ]
    11[ENC] splitting IKE message with length of 652 bytes into 2 fragments
    11[ENC] generating QUICK_MODE request 2079340946 [ HASH SA No KE ID ID ]
    11[IKE] maximum IKE_SA lifetime 28698s
    11[IKE] scheduling reauthentication in 28158s
    11[IKE] IKE_SA con1000[16] established between x.x.48.78[x.x.48.78]…[public IP of Cisco][[public IP of Cisco]]
    11[IKE] received DPD vendor ID
    11[ENC] parsed ID_PROT response 0 [ ID HASH V ]
    11[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (84 bytes)
    11[NET] sending packet: from x.x.48.78[500] to [public IP of Cisco][500] (100 bytes)
    11[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    11[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    11[ENC] received unknown vendor ID: 50:5e:26:5a:d5:6d:4e:bb:c0:33:d7:50:d5:f5:be:99
    11[IKE] received XAuth vendor ID
    11[IKE] received Cisco Unity vendor ID
    11[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
    11[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (304 bytes)
    15[NET] sending packet: from x.x.48.78[500] to [public IP of Cisco][500] (244 bytes)
    15[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    15[IKE] received FRAGMENTATION vendor ID
    15[IKE] received NAT-T (RFC 3947) vendor ID
    15[ENC] parsed ID_PROT response 0 [ SA V V ]
    15[NET] received packet: from [public IP of Cisco][500] to x.x.48.78[500] (124 bytes)
    15[NET] sending packet: from x.x.48.78[500] to [public IP of Cisco][500] (176 bytes)
    15[ENC] generating ID_PROT request 0 [ SA V V V V V ]
    15[IKE] initiating Main Mode IKE_SA con1000[16] to [public IP of Cisco]

Leave a Reply

Your email address will not be published. Required fields are marked *

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING