IPSsec between PFSense <-> Cisco

scourtney2000

there is an option in pfsense call 'My Identifier'

you will see when creating your tunnel under Phase 1 proposal.

can you post your cisco config. i can't seem to get a site to set working between my cisco asa and my pfsense.

thanks

Blobot

Thank you for your answer, I don't have the cisco conf under my hand yet but about the "My Identifier" in pfsense what should I put ? I setted "IP Address" and put the FW ip address in the box. But you think it can be the problem ? Because as I said, when the Identity is set to IP (instead of FQDN) in the Cisco, it works.

But what I don't understand is when I read the RFC 2409 section 5.4 I can see :

When using pre-shared key authentication with Main Mode the key can
  only be identified by the IP address of the peers since HASH_I must
  be computed before the initiator has processed IDir. Aggressive Mode
  allows for a wider range of identifiers of the pre-shared secret to
  be used. In addition, Aggressive Mode allows two parties to maintain
  multiple, different pre-shared keys and identify the correct one for
  a particular exchange.

It means that there is no possibility to tell PFSense to use FQDN for the VPN Tunnel ? If that's it, why does cisco use the FQDN ??

Thank you

scourtney2000

Interesting…from what I understand of Cisco (I am not a Cisco expert) you do have the ability to change the identifier.

In your Cisco config look for this:

At the cisco configuration terminal type:
crypto isakmp identity ?

You will see:

address  Use the IP address of the interface for the identity
  auto      Identity automatically determined by the connection type: IP
            address for preshared key and Cert DN for Cert based connections
  hostname  Use the hostname of the router for the identity
  key-id    Use the specified key-id for the identity

Blobot

That's exact ! But the problem is this option is global ! And can affect other configurations, that's why we will keep it to "hostname".

Now the question is : how to tell Pfsense to accept Hostname as identifier for a pre-shared key IPSec tunnel ??

Thank you in advance

Blobot

UP ! :)

scourtney2000

can you post your cisco config. i have never been able to get my site to site going between pfsense and my cisco asa.

thanks,
sean

clamasters

What Cisco device are you using, router?, pix?, asa?.  Additionally, what OS version is running on the Cisco.  Tomorrow I will upload my working pfSense 1.2RC3 - Cisco PIX 506 6.3.5. config's.

rulle_mus

Hello,

I am struggling to get ipsec working getween pfsense 1.2rc4 and Cisco 1721 with crypto ios.
Is it possible to post your IOS config?

Regards,

Mus

Fritz79

Hi everyone,

I got tunnel standing to router 1800 series with  12.4(6)T8
The problem is, that i can initiate tunnel only from pfSense side (when traffic is sent to destination private network, eg. ping tunel is set up). when tunnel is standing everythin works fine.

I have firewall WAN ESP, ipsec and LAN rules set.

Does anyone have idea ?

kirikiri

@Blobot:

UP ! :)

Could you please send me a short description of how you mananged to get it up and running?
Thanks!