I am not able to configure Site to Site VPN between PFSense to Cisco ASA 5520



  • Hello Team,

    We are trying to setup a site to site VPN between our office to client office

    we have PFsense Firewall -SG-4860

    Client is having Cisco Firewall - ASA-5520

    Below is the Phase 1 ad phase 2 tunnel setup

    Key Exchange version = V1
    Internet Protocol = IPv4
    Interface = WAN
    Remote gateway = 80.227.XX.XXX

    Authentication method = Mutual PSK
    Negotiation mode = Main
    My identifier = My IP address
    Peer identifier = 192.168.3.2
    Pre-Shared Key = Pass@wword

    Encryption algorithm = AES 256bits
    Hash algorithm = SHA1
    DH key group = 2
    Lifetime = 86400

    Disable Rekey = unchecked
    Responder Only = unchecked
    NAT Traversal = Auto
    Dead Peer Detection = Enabled (10seconds/5retry)

    Static route added between the Public IPS and internal IP's of the client. Also we have opened the firewall rule for all the port which from the clients public IP.

    Please help us.

    I have attached the screenshots of the logs and the VPN configurations from the PFSENSE firewall

    Phase 2:
    Mode = Tunnel IPv4
    Local Network = 10.3.50.71/32
    Remote Network = 192.168.3.2/32

    Protocol = ESP
    Encryption algorithms = AES 256bits
    Hash algorithms = SHA1
    PFS key group = 2
    Lifetime = 86400

    ipseclogs
    Xerago_VPN_Config.txt
    pfsense_logs.txt



  • Please help me on this. Suggestions are always welcome, I need to deliver this by end of the day.

    Thanks in advance.


  • LAYER 8 Netgate

    Static route added between the Public IPS and internal IP's of the client.

    What? You don't send IPsec traffic across a tunnel using static routes on either the ASA or pfSense. Any static routes you have added are wrong.

    You use access lists on crypto maps to create the traffic selectors on the ASA side.

    You use "Phase 2" entries to create the selectors on the pfSense side.



  • Hello Derelict,

    yes, we already have the crypto map configured in the ASA. Please review the below settings.

    crypto map OUTSIDE_map 29 set peer xxx.xxx.xx.xxx
    group-policy GroupPolicy_xxx.xxx.xx.xxx internal
    group-policy GroupPolicy_xxx.xxx.xx.xxx attributes
    tunnel-group xxx.xxx.xx.xxx type ipsec-l2l
    tunnel-group xxx.xxx.xx.xxx general-attributes
    default-group-policy GroupPolicy_xxx.xxx.xx.xxx

    tunnel-group xxx.xxx.xx.xxx ipsec-attributes
    UAEDXBDICVPN# sh run | in crypto map OUTSIDE_map 29
    crypto map OUTSIDE_map 29 match address OUTSIDE_cryptomap_30
    crypto map OUTSIDE_map 29 set pfs
    crypto map OUTSIDE_map 29 set peer xxx.xxx.xx.xxx
    crypto map OUTSIDE_map 29 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map OUTSIDE_map 29 set security-association lifetime seconds 86400

    UAEDXBDICVPN# sh access-list | in OUTSIDE_cryptomap_30
    access-list OUTSIDE_cryptomap_30; 1 elements; name hash: 0x6e350e61
    access-list OUTSIDE_cryptomap_30 line 1 extended permit ip object 192.168.3.2 object 10.3.50.71 (hitcnt=0) 0xb9445711
      access-list OUTSIDE_cryptomap_30 line 1 extended permit ip host 192.168.3.2 host 10.3.50.71 (hitcnt=0) 0xb9445711


  • LAYER 8 Netgate

    So what static routes did you create on pfSense?

    What are the IKE policies in use on the ASA? They will look something like this (example for ikev2):

    crypto ikev2 policy 10
    encryption aes-256 aes-192 aes
    integrity sha512 sha384 sha256
    group 21 20 19 24 14
    prf sha512 sha384 sha256
    lifetime seconds 86400

    They are needed in order to create an IKE (Phase 1) that matches what is set there.



  • This string in ipsec log looks bad:

    Jan 4 22:15:07 charon 11[IKE] <con2000|152>IDir '213.132.56.218' does not match to '192.168.3.2'</con2000|152>

    What is evidently a consequence of setting and private IP as remote peer ID:

    Peer identifier = 192.168.3.2

    Probably, you need to set Peer identifier = 213.132.56.218


Log in to reply