Replace Cisco Router's IPsec tunnel with pfSense Router's
I am replacing "My Cisco Router" with a pfSense Router.
However "My Host" accesses "Their Host" via an IPsec tunnel.
The relevant sections of the configuration of "My Cisco Router" looks like this:
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 lifetime 3600 crypto isakmp key SomeSecretKey! address 22.214.171.124 crypto isakmp key SomeSecretKey! address 126.96.36.199 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac ! crypto map THEVPNMAP 1 ipsec-isakmp description The VPN Tunnel to OtherPlace set peer 188.8.131.52 set peer 184.108.40.206 set transform-set AES256 set pfs group2 match address VPNTUNNELACL reverse-route ! archive log config hidekeys ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! ! interface FastEthernet4 description THE_WAN ip address 220.127.116.11 255.255.255.224 ip access-group FIREWALLACL in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto snmp trap ip verify drop-rate crypto map THEVPNMAP hold-queue 32 in ! interface Vlan1 description Internal LAN Gateway ip address 10.10.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 32 in ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 18.104.22.168 ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source static 10.10.10.15 22.214.171.124 ! ip access-list extended FIREWALLACL permit icmp any any permit tcp any any eq 22 permit tcp any any eq telnet permit esp host 126.96.36.199 host 188.8.131.52 permit udp host 184.108.40.206 host 220.127.116.11 eq isakmp permit udp host 18.104.22.168 host 22.214.171.124 eq non500-isakmp permit icmp 126.96.36.199 0.0.0.127 host 188.8.131.52 echo permit esp 184.108.40.206 0.0.255.255 host 220.127.116.11 permit udp 18.104.22.168 0.0.255.255 host 22.214.171.124 eq isakmp permit udp 126.96.36.199 0.0.255.255 host 188.8.131.52 eq non500-isakmp permit icmp 184.108.40.206 0.0.255.255 host 220.127.116.11 echo permit icmp any host 18.104.22.168 echo-reply permit icmp any host 22.214.171.124 time-exceeded permit icmp any host 126.96.36.199 unreachable deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any deny ip any any ip access-list extended VPNTUNNELACL permit ip host 188.8.131.52 184.108.40.206 0.0.0.255 ! access-list 23 permit 0.0.0.0 access-list 23 permit any no cdp run ! end
I have been working on replacing "My Cisco Router" with "My pfSense Router" and I was actually able to create the Phase 1 and Phase 2 components. Status -> IPsec shows ESTABLISHED in green as well as a child entry.
To get the Phase 2 (child entry) working I had to use the following:
Local Network of 10.10.10.1/32
NAT/BINAT translation: 220.127.116.11/32
Remote Network: 18.104.22.168/24
I had to use the translation option with 22.214.171.124, as I have no control over the remote site and this is what they expect.
*Note at this point all I have been trying to do is see if I can successfully ping "Their Host" (126.96.36.199) from the pfSense router (10.10.10.1). Eventually I will need to able to ping from 10.10.10.15
However all my attempts to ping or trace route to 188.8.131.52 from a shell terminal do not seem to work.
I am confused as to what the appropriate configuration on the pfSense router should be to replicate the functionality of "My Cisco Router". Do I need to something else, NAT things, Rules, Virtual IPs, etc. ? Routing over through the tunnel does not seem to work.
Any help would be very much appreciated.
Local network ( phase 2) 10.10.10.0/24
Thanks for the reply.
Yes, for the time being I am trying to ping from the pfSense router itself. Also, as I am given a single IP Address to use (184.108.40.206) I am assuming it is being translated to 10.10.10.1. This way I can perform test pings from the router's shell.
*Minor Update to the diagram
"Not My Cisco Router 2" had IP Address 220.127.116.11 instead of IP Address 18.104.22.168 on the original post's diagram. I do not think that this changes my questions.
The original diagram represent what is actually working using Cisco hardware.
The following diagram is what I presently I am presently doing:
I am basically trying to replace the "My Cisco Router"
I have a working IPsec tunnel between LANS: 10.10.10.0/24 and 10.10.20.0/24. I did this to test if an IPsec VPN between two pfSense routers would work as expected and second check the configuration on "My pfSense Router". I can report that at least the tunnel between my pfSense routers works.