IPsec between pfSense and Cisco IOS

From PFSenseDocs

This page describes how to configure IPsec to connect pfSense and a Cisco IOS router with IPsec capabilities.

Contents 1 Example Network 2 Configuring the router 3 Configuring pfSense 4 Testing the connection 5 Troubleshooting 5.1 "No NAT" List on Cisco IOS

Example Network

This diagram shows the specifics of the network where this VPN is being configured. For the sake of this documentation, both hosts were on private subnets, but functionally equivalent to two hosts across the Internet.

Configuring the router

First, configure the phase 1 settings with a crypto isakmp policy. The following sets it for 3DES, SHA and group 2 to match the pfSense configuration shown later.

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2

Next, configure the pre-shared key. The key in this example is ABCDEFG, but ensure you use something random and secure for any production deployments. 10.0.66.22 is the WAN IP of the pfSense system being used.

crypto isakmp key ABCDEFG address 10.0.66.22 no-xauth

Next configure the transform set for phase 2. This uses ESP, 3DES and SHA. The transform set is named 3DES-SHA, which is how it will be referred to later.

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

Now configure an access list that will match the local and remote subnets on the pfSense end. This is configured as access-list 100, which will be used in the next step. Remember this uses wildcard masks, so a /24 network (255.255.255.0 mask) is represented as 0.0.0.255.

access-list 100 permit ip 192.168.11.0 0.0.0.255 172.26.5.0 0.0.0.255
access-list 100 permit ip 172.26.5.0 0.0.0.255 192.168.11.0 0.0.0.255

Now configure the crypto map for this VPN.

crypto map PFSVPN 15 ipsec-isakmp
 set peer 10.0.66.22
 set transform-set 3DES-SHA
 set pfs group2
 match address 100

Lastly, under the interface configuration for the interface where the VPN will terminate (the one with the public IP), assign the crypto map.

interface FastEthernet0/0
crypto map PFSVPN

The configuration is then finished on the Cisco side.

Configuring pfSense

This screenshot shows the pfSense configuration matching the above Cisco configuration.

Testing the connection

To test the connection, you can browse to Diagnostics -> Ping on pfSense, enter an IP on the remote network, choose the LAN interface, and click Ping. The initial negotiation may make all three of the first pings timeout, so try it a second time as well. If configured as depicted above, you will see:

Troubleshooting

If the connection doesn't come up, you have a mismatch somewhere in your configuration. Depending on specifics, you may get more useful information from pfSense or the Cisco. Checking logs on both ends is recommended. For pfSense, browse to Status -> System logs and click the IPsec tab. For Cisco, run 'debug crypto isakmp' and 'term mon' (if not connected via serial console) to make the debug messages appear in your session. The output can be verbose, but will usually tell you pretty specifically what was mismatched.

"No NAT" List on Cisco IOS

You may also need to tell Cisco IOS not to NAT the traffic that is destined for the IPsec tunnel. There are several ways to accomplish this, depending on how your router has NAT configured. If the following example does not help, there are several examples that turn up in a Google search for "cisco ios nonat ipsec"

ip nat inside source route-map NONAT interface FastEthernet0/0 overload
access-list 110 deny   ip 172.26.5.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 permit ip 172.26.5.0 0.0.0.255 any
route map NONAT permit 10
 match ip address 110

This will direct the router to prevent NAT if the traffic is going from the subnet behind the Cisco router to the subnet behind the pfSense router, but allow it in all other cases.

This article is part of the HOWTO series.