[pfSense] pfSense VPN to Cisco (ASA 5520)

Chris Buechler cmb at pfsense.org
Wed May 2 08:28:52 EDT 2012


On Wed, May 2, 2012 at 8:25 AM, Eugen Leitl <eugen at leitl.org> wrote:
>
> I need to make terminate a VPN tunnel (users behind NAT)
> with above Cisco box.
>
> Parameters are
>
> ISAKMP Phase I
> preshared key
> AES128
> SHA
> Group 2
> Lifetime 28800 sec
>
> IPSEC Phase II
> AES 128
> SHA
> Group 2
> Perfect forwarding secrecy: No
> Lifetime 3600 sec
>
> Anyone terminating such IPsec tunnels to Cisco? Any problems?

Lots of people. One thing to keep in mind with Cisco is it's
relatively easy initially and/or after the fact to set a policy the
Cisco will use as an initiator that's different from what it will
accept as responder. To minimize any such issues, set the P1 on
pfSense to proposal checking "obey". Otherwise you may find you can
initiate fine from your side, but the Cisco side can't initiate from
their end. If not initially, it may happen when they add another VPN
in the future.


More information about the List mailing list