Personal tools

IPsec between pfSense and Cisco IOS

From PFSenseDocs

Jump to: navigation, search

This page describes how to configure IPsec to connect pfSense and a Cisco IOS router with IPsec capabilities.

Example Network

This diagram shows the specifics of the network where this VPN is being configured. For the sake of this documentation, both hosts were on private subnets, but functionally equivalent to two hosts across the Internet.


Configuring the router

First, configure the phase 1 settings with a crypto isakmp policy. The following sets it for 3DES, SHA and group 2 to match the pfSense configuration shown later.

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2

Next, configure the pre-shared key. The key in this example is ABCDEFG, but be sure to use something random and secure for any production deployments. is the WAN IP of the pfSense system being used.

crypto isakmp key ABCDEFG address no-xauth

Next configure the transform set for phase 2. This uses ESP, 3DES and SHA. The transform set is named 3DES-SHA, which is how it will be referred to later.

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

Now configure an access list that will match the local and remote subnets on the pfSense end. This is configured as access-list 100, which will be used in the next step. Remember this uses wildcard masks, so a /24 network ( mask) is represented as

access-list 100 permit ip
access-list 100 permit ip

Now configure the crypto map for this VPN.

crypto map PFSVPN 15 ipsec-isakmp
 set peer
 set transform-set 3DES-SHA
 set pfs group2
 match address 100

Lastly, under the interface configuration for the interface where the VPN will terminate (the one with the public IP), assign the crypto map.

interface FastEthernet0/0
crypto map PFSVPN

The configuration is then finished on the Cisco side.

Configuring pfSense

This screenshot shows the pfSense configuration matching the above Cisco configuration.

In the above example, the pfSense IPsec tunnel should be set as follows:

Phase 1:

Remote Gateway:
Authentication Method: Pre-Shared Key
Negotiation Mode: Main
My Identifier: My IP Address
Pre-Shared Key: ABCDEFG
Encryption Algorithm: 3DES
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime: 28800
NAT Traversal: Disable

It may also be advisable to set Proposal Checking to Obey to avoid some issues with building a tunnel when the other side initiates.

Phase 2:

Mode: Tunnel IPv4
Local Network: LAN Subnet
Remote Network:
Protocol: ESP
Encryption Algorithm: 3DES (others may also be checked, but be sure to leave 3DES checked)
Hash Algorithm: SHA1
PFS Key Group: 2
Lifetime: 3600

Testing the connection

To test the connection, from pfSense, do the following:

  • Navigate to Diagnostics > Ping
  • Enter an IP address on the remote network
  • Choose the LAN interface
  • Click Ping.

The initial negotiation may make all three of the first pings timeout, so try it a second time as well. If configured as depicted above, once the tunnel connects, the following will be seen:



If the connection doesn't come up, there is a mismatch somewhere in the configuration. Depending on specifics, more useful information may be obtained from pfSense or the Cisco. Checking logs on both ends is recommended. For pfSense, browse to Status > System Logs on the IPsec tab. For Cisco, run debug crypto isakmp and term mon (if not connected via serial console) to make the debug messages appear in a session. The output can be verbose, but will usually tell specifically what was mismatched.

"No NAT" List on Cisco IOS

It may also be necessary to tell Cisco IOS not to NAT the traffic that is destined for the IPsec tunnel. There are several ways to accomplish this, depending on how the router has NAT configured. If the following example does not help, there are several examples that turn up in a Google search for "cisco ios nonat ipsec"

ip nat inside source route-map NONAT interface FastEthernet0/0 overload
access-list 110 deny   ip
access-list 110 permit ip any
route map NONAT permit 10
 match ip address 110

This will direct the router to prevent NAT if the traffic is going from the subnet behind the Cisco router to the subnet behind the pfSense router, but allow it in all other cases.

This article is part of the How-To series.