Site to Site IPSEC - Please Help



  • Hello, I'm looking for some assistance if anyone would be so kind. I'm pretty much a novice when it comes to configuring IPSEC tunnels, so as much detail as possible would be appreciated.

    Here's the scenario:
    I have a vendor that I need to establish an IPSEC tunnel to for monitoring capabilities, etc. I already have this tunnel established via a CISCO ASA 5505 (their endpoint is also a Cisco device). My problem is that I want to transition this from the Cisco ASA and kind of consolidate things on my pfSense box (version 2.0.2-RC1). I've set other IPSEC tunnels up on the pfSense box with no issues. This one is a little different, however, as the vendor only wants to see 2 of our local IPs (the two servers they need access to), instead of a full subnet. Needless to say, I didn't have much success getting this going and had to revert back to the ASA5505 for the time being. I'm kind of assuming this has to be accomplished via NAT… not sure where to get started, however. Here's my running config from the ASA5505:

    ===================
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.6 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list outside_cryptomap_3 extended permit ip host 10.0.0.11 172.16.254.0 255.255.255.0
    access-list outside_cryptomap_3 extended permit ip host 10.0.0.230 172.16.254.0 255.255.255.0
    access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 0 0.0.0.0 0.0.0.0
    route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map_1 2 match address outside_cryptomap_3
    crypto map outside_map_1 2 set peer INSERT.REMOTE.PEER.HERE
    crypto map outside_map_1 2 set transform-set ESP-AES-256-SHA
    crypto map outside_map_1 interface inside
    crypto isakmp identity address
    crypto isakmp enable inside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 28800
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    tunnel-group INSERT.REMOTE.PEER.HERE type ipsec-l2l
    tunnel-group INSERT.REMOTE.PEER.HERE ipsec-attributes
    pre-shared-key *
    prompt hostname context

    Obviously, what you can gather from that is (for my end):

    Phase 1:
    -My peer: 1.1.1.1 (just for the sake of conversation)
    -Remote Peer: 2.2.2.2 (again, just for the sake of conversation)
    -AES-256-SHA, DH Group 5, Main negotiation mode

    Phase 2:
    -My hosts: 10.0.0.11 and 10.0.0.230 (So, like I said before, they aren't allowing the full 10.0.0.0/24 range on their end)
    -Remote Subnet: 172.16.254.0/24
    -AES-256-SHA, No PFS

    With my multiple attempts, I didn't get too far. I checked the logs and kept getting these type of errors:
    -racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA
    -racoon: ERROR: unknown Informational exchange received.

    Other things I made sure to do:
    -I opened up the appropriate ports on the WAN interface (UDP 500 for ISAKMP, ICMP, ESP) to the remote endpoint.
    -I opened up what I would have wanted to allow through (on the IPSEC tab) from the remote subnet.

    I'm sure this is a pretty basic setup for the majority of you. Again, I'm a noob. Please forgive my ignorance and help me out. I appreciate it.


Locked