0

Site-to-Site IPSec VPN between Cisco ASAv and pfSense Firewall

Introduction

Short for IP Security, IPSec is an Internet Engineering Taskforce (IETF) standard suite of protocols between 2 communication points across an IP network that provide data authentication, integrity, and confidentiality. It is supported by different vendors. OpenSSL can still be preferred over IPSec.

We are going to configure an IPSec VPN between a Cisco ASA and a pfSense Firewall. Cisco ASA is a Cisco proprietary firewall that provides VPN/Firewall solutions to small, medium and large enterprises. The pfSense Firewall on the other hand is a free and open source distribution of FreeBSD customized for use as a firewall and router. pfSense is lightweight and can be installed on a PC with two NICs. You can get a copy of your pfSense from here. At the time of this writing, the latest version is v2.4.4.

In this lab, we will configure a Site-to-Site IPSec VPN between a Cisco ASAv and a pfSense Firewall.

Prerequisites

  • Cisco ASAv with configured interfaces, ASDM as well as other basic configurations.
  • pfSense Firewall, WAN and LAN configured interfaces.
  • IP Addressing and ensure connectivity between the ASAv appliance and pfSense.
  • Basic routing configuration on the Cisco L3 router for internet access.

Build the topology on EVE-NG

I have built the topology on my EVE-NG lab and configured the two firewalls.

  • Cisco ASAv
  • 2 x Cisco Multi-layer switch images (you can still use a layer 2 switch image. It’s not very necessary to use L3)
  • pfSense Firewall
  • Internet Router. Cisco L3 image.
  • A Cloud image (management(Cloud0)) that will connect both Site A and Site B to the internet through our Internet Router.

We are going to have two Sites. Site A and Site B that are going to be connected to an internet router which will provide some routing to the internet.

In our next step, we will set up a site-to-site ipsec vpn between the two sites that use different firewall solutions from two giant vendors.

Set up site-to-site IPSec implementation

There are two phases in IPSec implementation. Phase 1 and Phase 2.
ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.
We will begin by configuring the our ASAv with the phase I and phase II attributes.

IPSec ISAKMP Phase I

HQ-ASA(config)#
HQ-ASA(config)# cryp
HQ-ASA(config)# crypto ike
HQ-ASA(config)# crypto ikev1
HQ-ASA(config)# crypto ikev1 poli
HQ-ASA(config)# crypto ikev1 policy 1
HQ-ASA(config-ikev1-policy)#
HQ-ASA(config-ikev1-policy)# autehent
HQ-ASA(config-ikev1-policy)# authen
HQ-ASA(config-ikev1-policy)# authentication pre-share
HQ-ASA(config-ikev1-policy)# encryp
HQ-ASA(config-ikev1-policy)# encryption aes
HQ-ASA(config-ikev1-policy)# encryption aes
HQ-ASA(config-ikev1-policy)#
HQ-ASA(config-ikev1-policy)# has
HQ-ASA(config-ikev1-policy)# hash ?
ikev1-policy mode commands/options:
  md5  set hash md5
  sha  set hash sha1
HQ-ASA(config-ikev1-policy)# hash sha
HQ-ASA(config-ikev1-policy)#
HQ-ASA(config-ikev1-policy)#
HQ-ASA(config-ikev1-policy)# group 2
HQ-ASA(config-ikev1-policy)#
HQ-ASA(config-ikev1-policy)# lifetime
HQ-ASA(config-ikev1-policy)# lifetime 86400
HQ-ASA(config-ikev1-policy)# exit
HQ-ASA(config)#
HQ-ASA(config)# crypto
HQ-ASA(config)# crypto ikev1
HQ-ASA(config)# crypto ikev1 enab
HQ-ASA(config)# crypto ikev1 enable OU
HQ-ASA(config)# crypto ikev1 enable OUTSIDE
HQ-ASA(config)#
HQ-ASA(config)#
HQ-ASA(config)#
HQ-ASA(config)# tunne
HQ-ASA(config)# tunnel-group 198.10.10.2 type ip
HQ-ASA(config)# tunnel-group 198.10.10.2 type ipsec-l2
HQ-ASA(config)# tunnel-group 198.10.10.2 type ipsec-l2l
HQ-ASA(config)# tunne
HQ-ASA(config)# tunnel-group 198.10.10.2 ipsec-att
HQ-ASA(config)# tunnel-group 198.10.10.2 ipsec-attributes
HQ-ASA(config-tunnel-ipsec)# ikev
HQ-ASA(config-tunnel-ipsec)# ikev1
HQ-ASA(config-tunnel-ipsec)# ikev1 pre-
HQ-ASA(config-tunnel-ipsec)# ikev1 pre-shared-key strongpass
HQ-ASA(config-tunnel-ipsec)#

IPSec Phase II

HQ-ASA(config)# crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
HQ-ASA(config)# access-list outside_cryptomap_10 remark ACL TO ENCRYPT TRAFFIC FROM ASA TO PFSENSE
HQ-ASA(config)# access-list outside_cryptomap_10 extended permit ip 172.16.80.0 255.255.255.0 10.1.100.0 255.255.255.0
HQ-ASA(config)# crypto map outside_map 10 match address outside_cryptomap_10
HQ-ASA(config)# crypto map outside_map 10 set peer 198.10.10.2
HQ-ASA(config)# crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA
HQ-ASA(config)# crypto map outside_map interface OUTSIDE

That’s it from our ASAv side of things. Lets jump to our pfSense firewall on Site B

Phase I

Login in to the pfSense web configurator and navigate to VPN > IPsec

Click on Add P1 on the Tunnels tab which we are going to add our Phase I attributes as below.




Leave the rest as is and save your changes. Once done you should have Phase I set up as below

Phase II

Click on Show Phase 2 Entries button and click on Add P2 to add our phase 2 attributes

Next configure your IPSec phase 2 attributes as below.

Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration.


Our IPSec configuration is complete on both ends. To very this we are going to check the vpn connection status on the pfsense firewall as well as on the show ipsec status on the ASA firewall. To do that, on the pfsense menu, go to Status > Ipsec and click on Connect VPN button. Connection should be established.

If you followed keenly on the configuration, you should get an established connection from the pfsense above as well as the ASAv firewall below

In our ASAv firewall, we can issue the below command to confirm our ipsec status

HQ-ASA# show crypto ipsec stats

That marks the end of our lab: Configuring Site-to-Site IPsec VPN between Cisco ASAv and pfSense Firewall.

bl4ckwidow

Co-Founder of Labing Overload. I am a Web Developer/Network Engineer turned CyberSecurity Engineer. FOSS enthusiast. Cisco Technologies enthusiast. Network Penetration Tester.

Leave a Reply

Your email address will not be published. Required fields are marked *