This page describes how to configure IPsec to connect pfSense® routerand a Cisco IOS router with IPsec capabilities.
- The VPN client has been killed off and only the AnyConnect client is being supported going forward. The AnyConnect client provides additonal funitonality such as client security policy implementaiton. Note this client is able to support IPSEC and SSL configuraitons. Some of the functionality may require an anyconnect licence on the ASA.
- Rockhopper is IPsec/IKEv2-based VPN software for Linux. This software is interoperable with Windows 7, Windows 8 and Windows 10 VPN clients and it provides a handy AJAX-based Web console to manage Secure Virtual Ethernet(LAN), Routing-based VPN, Remote Access VPN and servers protected by IPsec.
Example Network¶
This diagram shows the specifics of the network where this VPN is beingconfigured. For the sake of this documentation, both hosts were onprivate subnets, but functionally equivalent to two hosts across theInternet.
IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup:! Crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2! Crypto isakmp key ipsec address 0.0.0.0 0.0.0.0! Crypto ipsec security-association idle-time 600! Crypto ipsec transform-set vpn esp-3des esp-md5-hmac mode transport! The Zyxel IPSec VPN Client is designed an easy 3-step configuration wizard to help remote employees to create VPN connections quicker than ever. The user-friendly interface makes it easy to install, configure and use. With Zyxel IPSec VPN Client, setting up a VPN connection is no longer a daunting task.
Configuring the router¶
First, configure the phase 1 settings with a crypto isakmp policy. Thefollowing sets it for 3DES, SHA and group 2 to match the pfSenseconfiguration shown later.
Next, configure the pre-shared key. The key in this example is ABCDEFG,but be sure to use something random and secure for any productiondeployments. 10.0.66.22 is the WAN IP of the pfSense system beingused.
Next configure the transform set for phase 2. This uses ESP, 3DESand SHA. The transform set is named 3DES-SHA, which is how it willbe referred to later.
Now configure an access list that will match the local and remotesubnets on the pfSense router. This is configured as access-list 100,which will be used in the next step. Remember this uses wildcard masks,so a /24 network (255.255.255.0 mask) is represented as 0.0.0.255.
Now configure the crypto map for this VPN:
Lastly, under the interface configuration for the interface where theVPN will terminate (the one with the public IP), assign the crypto map:
The configuration is then finished on the Cisco side.
Configuring pfSense Software¶
This screenshot shows the pfSense configuration matching the above Ciscoconfiguration.
In the above example, the pfSense IPsec tunnel should be set as follows:
Phase 1:
Remote Gateway: 10.0.64.175Authentication Method: Pre-Shared KeyNegotiation Mode: MainMy Identifier: My IP AddressPre-Shared Key: ABCDEFGEncryption Algorithm: 3DESHash Algorithm: SHA1DH Key Group: 2Lifetime: 28800NAT Traversal: Disable
It may also be advisable to set Proposal Checking to Obey to avoidsome issues with building a tunnel when the other side initiates.
Phase 2:
Mode: Tunnel IPv4Local Network: LAN SubnetRemote Network: 172.26.5.0/24Protocol: ESPEncryption Algorithm: 3DES (others may also be checked, but besure to leave 3DES checked)Hash Algorithm: SHA1PFS Key Group: 2Lifetime: 3600
Cisco Ipsec Client Linux
Testing the connection¶
To test the connection, from the pfSense router, do the following:
Navigate to Diagnostics > Ping
Enter an IP address on the remote network
Choose the LAN interface
Click Ping.
The initial negotiation may make all three of the first pings timeout,so try it a second time as well. If configured as depicted above, oncethe tunnel connects, the following will be seen:
Troubleshooting¶
If the connection doesn’t come up, there is a mismatch somewhere in theconfiguration. Depending on specifics, more useful information may beobtained from pfSense router or the Cisco router. Checking logs on bothends is recommended. For pfSense software, browse toStatus > System Logs on the IPsec tab. For Cisco, rundebug crypto isakmp and term mon (if not connected via serialconsole) to make the debug messages appear in a session. The outputcan be verbose, but will usually tell specifically what was mismatched.
“No NAT” List on Cisco IOS¶
It may also be necessary to tell Cisco IOS not to NAT the traffic thatis destined for the IPsec tunnel. There are several ways to accomplishthis, depending on how the router has NAT configured. If the followingexample does not help, there are several examples that turn up in aGoogle search for “cisco ios nonat ipsec”:
This will direct the router to prevent NAT if the traffic is going fromthe subnet behind the Cisco router to the subnet behind the pfSenserouter, but allow it in all other cases.
From a users perspective it’s almost just a different way to do the same thing. The major differences to a company considering the move to AnyConnect would be:
Cisco Ipsec Client Windows 10
- The licensing fees. The security IOS that runs on routers we sell customers generally includes IPSec VPN clients. The AnyConnect has separate licensing fees through Cisco. Some equipment includes licenses, others do not (it’s hardware specific). So there is usually an additional cost associated with the AnyConnect VPN Client.
- AnyConnect runs on port 443 so many firewalls will not interfere with traffic on AnyConect vs an IPSEC software VPN. Often users firewalls will block IPSEC traffic or interfere with it (home users firewalls, Barnes and Nobles, Cell card firewalls, etc)
- The AnyConnect can be launched from a web page on the router. This allows for ease of deployment.
- AnyConnect reportedly uses more processing power and systems resources to establish the connection. This is usually no big deal because you are actually using it on a quicker, newer machine running a 64 Bit OS.
- Ease of administration (this could go either way). Sometimes Eclipse WAN support has had calls around a corrupt install of the VPN client. We haven’t really had any client troubles yet with AnyConnect although it’s fairly new.
- The Install package is a lot smaller for AnyConnect.
- There is support for different Operating Systems using the Cisco AnyConnect please see http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html
- According to Cisco’s documentation they state “Only 32-bit Windows support is available in the Cisco VPN Client. For 64-bit (x64) Windows support, customers must upgrade to the next-generation Cisco AnyConnect VPN Client.” Cisco has recently deployed a beta version of the 64 bit IPSEC client for Windows 7 users. Whether or not they will support it in the future remains to be seen.
Cisco Ipsec Client Ubuntu
If you have any questions, comments or concerns and you are on a network maintenance plan with Eclipse Systems support please open a support request at http://distribution.activant.com/eclipse-support/. Alternatively you can call 508-778-9151 for further information.