Site to Site IPSEC - Please Help
-
Hello, I'm looking for some assistance if anyone would be so kind. I'm pretty much a novice when it comes to configuring IPSEC tunnels, so as much detail as possible would be appreciated.
Here's the scenario:
I have a vendor that I need to establish an IPSEC tunnel to for monitoring capabilities, etc. I already have this tunnel established via a CISCO ASA 5505 (their endpoint is also a Cisco device). My problem is that I want to transition this from the Cisco ASA and kind of consolidate things on my pfSense box (version 2.0.2-RC1). I've set other IPSEC tunnels up on the pfSense box with no issues. This one is a little different, however, as the vendor only wants to see 2 of our local IPs (the two servers they need access to), instead of a full subnet. Needless to say, I didn't have much success getting this going and had to revert back to the ASA5505 for the time being. I'm kind of assuming this has to be accomplished via NAT… not sure where to get started, however. Here's my running config from the ASA5505:===================
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_cryptomap_3 extended permit ip host 10.0.0.11 172.16.254.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip host 10.0.0.230 172.16.254.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map_1 2 match address outside_cryptomap_3
crypto map outside_map_1 2 set peer INSERT.REMOTE.PEER.HERE
crypto map outside_map_1 2 set transform-set ESP-AES-256-SHA
crypto map outside_map_1 interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
tunnel-group INSERT.REMOTE.PEER.HERE type ipsec-l2l
tunnel-group INSERT.REMOTE.PEER.HERE ipsec-attributes
pre-shared-key *
prompt hostname contextObviously, what you can gather from that is (for my end):
Phase 1:
-My peer: 1.1.1.1 (just for the sake of conversation)
-Remote Peer: 2.2.2.2 (again, just for the sake of conversation)
-AES-256-SHA, DH Group 5, Main negotiation modePhase 2:
-My hosts: 10.0.0.11 and 10.0.0.230 (So, like I said before, they aren't allowing the full 10.0.0.0/24 range on their end)
-Remote Subnet: 172.16.254.0/24
-AES-256-SHA, No PFSWith my multiple attempts, I didn't get too far. I checked the logs and kept getting these type of errors:
-racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA
-racoon: ERROR: unknown Informational exchange received.Other things I made sure to do:
-I opened up the appropriate ports on the WAN interface (UDP 500 for ISAKMP, ICMP, ESP) to the remote endpoint.
-I opened up what I would have wanted to allow through (on the IPSEC tab) from the remote subnet.I'm sure this is a pretty basic setup for the majority of you. Again, I'm a noob. Please forgive my ignorance and help me out. I appreciate it.