Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site IPSEC - Please Help

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stevog
      last edited by

      Hello, I'm looking for some assistance if anyone would be so kind. I'm pretty much a novice when it comes to configuring IPSEC tunnels, so as much detail as possible would be appreciated.

      Here's the scenario:
      I have a vendor that I need to establish an IPSEC tunnel to for monitoring capabilities, etc. I already have this tunnel established via a CISCO ASA 5505 (their endpoint is also a Cisco device). My problem is that I want to transition this from the Cisco ASA and kind of consolidate things on my pfSense box (version 2.0.2-RC1). I've set other IPSEC tunnels up on the pfSense box with no issues. This one is a little different, however, as the vendor only wants to see 2 of our local IPs (the two servers they need access to), instead of a full subnet. Needless to say, I didn't have much success getting this going and had to revert back to the ASA5505 for the time being. I'm kind of assuming this has to be accomplished via NAT… not sure where to get started, however. Here's my running config from the ASA5505:

      ===================
      interface Vlan1
      nameif inside
      security-level 100
      ip address 10.0.0.6 255.255.255.0
      interface Vlan2
      nameif outside
      security-level 0
      ip address dhcp setroute
      interface Ethernet0/0
      switchport access vlan 2
      interface Ethernet0/1
      interface Ethernet0/2
      interface Ethernet0/3
      interface Ethernet0/4
      interface Ethernet0/5
      interface Ethernet0/6
      interface Ethernet0/7
      ftp mode passive
      same-security-traffic permit intra-interface
      access-list outside_cryptomap_3 extended permit ip host 10.0.0.11 172.16.254.0 255.255.255.0
      access-list outside_cryptomap_3 extended permit ip host 10.0.0.230 172.16.254.0 255.255.255.0
      access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
      pager lines 24
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      icmp unreachable rate-limit 1 burst-size 1
      asdm image disk0:/asdm-523.bin
      no asdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 0 access-list inside_outbound_nat0_acl
      nat (inside) 0 0.0.0.0 0.0.0.0
      route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout uauth 0:05:00 absolute
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
      crypto map outside_map_1 2 match address outside_cryptomap_3
      crypto map outside_map_1 2 set peer INSERT.REMOTE.PEER.HERE
      crypto map outside_map_1 2 set transform-set ESP-AES-256-SHA
      crypto map outside_map_1 interface inside
      crypto isakmp identity address
      crypto isakmp enable inside
      crypto isakmp policy 10
      authentication pre-share
      encryption aes-256
      hash sha
      group 2
      lifetime 86400
      crypto isakmp policy 20
      authentication pre-share
      encryption aes-256
      hash sha
      group 5
      lifetime 28800
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      class-map inspection_default
      match default-inspection-traffic
      policy-map type inspect dns preset_dns_map
      parameters
        message-length maximum 512
      policy-map global_policy
      class inspection_default
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect rtsp
        inspect esmtp
        inspect sqlnet
        inspect skinny
        inspect sunrpc
        inspect xdmcp
        inspect sip
        inspect netbios
        inspect tftp
      service-policy global_policy global
      tunnel-group INSERT.REMOTE.PEER.HERE type ipsec-l2l
      tunnel-group INSERT.REMOTE.PEER.HERE ipsec-attributes
      pre-shared-key *
      prompt hostname context

      Obviously, what you can gather from that is (for my end):

      Phase 1:
      -My peer: 1.1.1.1 (just for the sake of conversation)
      -Remote Peer: 2.2.2.2 (again, just for the sake of conversation)
      -AES-256-SHA, DH Group 5, Main negotiation mode

      Phase 2:
      -My hosts: 10.0.0.11 and 10.0.0.230 (So, like I said before, they aren't allowing the full 10.0.0.0/24 range on their end)
      -Remote Subnet: 172.16.254.0/24
      -AES-256-SHA, No PFS

      With my multiple attempts, I didn't get too far. I checked the logs and kept getting these type of errors:
      -racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA
      -racoon: ERROR: unknown Informational exchange received.

      Other things I made sure to do:
      -I opened up the appropriate ports on the WAN interface (UDP 500 for ISAKMP, ICMP, ESP) to the remote endpoint.
      -I opened up what I would have wanted to allow through (on the IPSEC tab) from the remote subnet.

      I'm sure this is a pretty basic setup for the majority of you. Again, I'm a noob. Please forgive my ignorance and help me out. I appreciate it.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.