I am not able to configure Site to Site VPN between PFSense to Cisco ASA 5520
-
Hello Team,
We are trying to setup a site to site VPN between our office to client office
we have PFsense Firewall -SG-4860
Client is having Cisco Firewall - ASA-5520
Below is the Phase 1 ad phase 2 tunnel setup
Key Exchange version = V1
Internet Protocol = IPv4
Interface = WAN
Remote gateway = 80.227.XX.XXXAuthentication method = Mutual PSK
Negotiation mode = Main
My identifier = My IP address
Peer identifier = 192.168.3.2
Pre-Shared Key = Pass@wwordEncryption algorithm = AES 256bits
Hash algorithm = SHA1
DH key group = 2
Lifetime = 86400Disable Rekey = unchecked
Responder Only = unchecked
NAT Traversal = Auto
Dead Peer Detection = Enabled (10seconds/5retry)Static route added between the Public IPS and internal IP's of the client. Also we have opened the firewall rule for all the port which from the clients public IP.
Please help us.
I have attached the screenshots of the logs and the VPN configurations from the PFSENSE firewall
Phase 2:
Mode = Tunnel IPv4
Local Network = 10.3.50.71/32
Remote Network = 192.168.3.2/32Protocol = ESP
Encryption algorithms = AES 256bits
Hash algorithms = SHA1
PFS key group = 2
Lifetime = 86400ipseclogs
Xerago_VPN_Config.txt
pfsense_logs.txt -
Please help me on this. Suggestions are always welcome, I need to deliver this by end of the day.
Thanks in advance.
-
Static route added between the Public IPS and internal IP's of the client.
What? You don't send IPsec traffic across a tunnel using static routes on either the ASA or pfSense. Any static routes you have added are wrong.
You use access lists on crypto maps to create the traffic selectors on the ASA side.
You use "Phase 2" entries to create the selectors on the pfSense side.
-
Hello Derelict,
yes, we already have the crypto map configured in the ASA. Please review the below settings.
crypto map OUTSIDE_map 29 set peer xxx.xxx.xx.xxx
group-policy GroupPolicy_xxx.xxx.xx.xxx internal
group-policy GroupPolicy_xxx.xxx.xx.xxx attributes
tunnel-group xxx.xxx.xx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xx.xxx general-attributes
default-group-policy GroupPolicy_xxx.xxx.xx.xxxtunnel-group xxx.xxx.xx.xxx ipsec-attributes
UAEDXBDICVPN# sh run | in crypto map OUTSIDE_map 29
crypto map OUTSIDE_map 29 match address OUTSIDE_cryptomap_30
crypto map OUTSIDE_map 29 set pfs
crypto map OUTSIDE_map 29 set peer xxx.xxx.xx.xxx
crypto map OUTSIDE_map 29 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 29 set security-association lifetime seconds 86400UAEDXBDICVPN# sh access-list | in OUTSIDE_cryptomap_30
access-list OUTSIDE_cryptomap_30; 1 elements; name hash: 0x6e350e61
access-list OUTSIDE_cryptomap_30 line 1 extended permit ip object 192.168.3.2 object 10.3.50.71 (hitcnt=0) 0xb9445711
access-list OUTSIDE_cryptomap_30 line 1 extended permit ip host 192.168.3.2 host 10.3.50.71 (hitcnt=0) 0xb9445711 -
So what static routes did you create on pfSense?
What are the IKE policies in use on the ASA? They will look something like this (example for ikev2):
crypto ikev2 policy 10
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256
group 21 20 19 24 14
prf sha512 sha384 sha256
lifetime seconds 86400They are needed in order to create an IKE (Phase 1) that matches what is set there.
-
This string in ipsec log looks bad:
Jan 4 22:15:07 charon 11[IKE] <con2000|152>IDir '213.132.56.218' does not match to '192.168.3.2'</con2000|152>
What is evidently a consequence of setting and private IP as remote peer ID:
Peer identifier = 192.168.3.2
Probably, you need to set Peer identifier = 213.132.56.218
