Can pfSense do Easy VPN to a Cisco ASA?



  • If you have two Cisco ASAs, you can configure one end (usually a dynamic IP end) to do "Easy VPN", which basically lets the dynamic ASA use the remote access VPN (group name, PSK, username, password) to connect. It looks like pfSense can be the static end, but can it be the dynamic client end? In other words, I want to setup a dynamic-to-static site-to-site VPN tunnel, and have pfSense be the dynamic end, and have it use IPSec with xauth (group name, PSK, username, password), instead of the plain IPSec site-to-site VPN tunnel.

    Mainly this simplifies the Cisco ASA configuration, so I can setup a new dynamic-to-static VPN tunnel without having to make any changes on the main office Cisco ASA end. If pfSense can do this that would be an amazing tool to be able to setup VPN tunnels in a snap.


  • Rebel Alliance Developer Netgate

    That is not currently possible, we don't have a way in the pfSense GUI to act as an xauth client.



  • Its would simultaneously be cool and uncool if pfsense had a openvpn package GUI that could be presented to the world that would allow a user based on their credentials to login and download a config file for their account.

    Some people really want to allow this, even though its not the most secure way to roll.  Brings the security of the VPN down to a password.


Log in to reply