[pfSense] pfSense VPN to Cisco (ASA 5520)
Eugen Leitl
eugen at leitl.org
Wed May 2 09:24:34 EDT 2012
On Wed, May 02, 2012 at 08:28:52AM -0400, Chris Buechler wrote:
> On Wed, May 2, 2012 at 8:25 AM, Eugen Leitl <eugen at leitl.org> wrote:
> >
> > I need to make terminate a VPN tunnel (users behind NAT)
> > with above Cisco box.
> >
> > Parameters are
> >
> > ISAKMP Phase I
> > preshared key
> > AES128
> > SHA
> > Group 2
> > Lifetime 28800 sec
> >
> > IPSEC Phase II
> > AES 128
> > SHA
> > Group 2
> > Perfect forwarding secrecy: No
> > Lifetime 3600 sec
> >
> > Anyone terminating such IPsec tunnels to Cisco? Any problems?
>
> Lots of people. One thing to keep in mind with Cisco is it's
> relatively easy initially and/or after the fact to set a policy the
> Cisco will use as an initiator that's different from what it will
> accept as responder. To minimize any such issues, set the P1 on
> pfSense to proposal checking "obey". Otherwise you may find you can
> initiate fine from your side, but the Cisco side can't initiate from
> their end. If not initially, it may happen when they add another VPN
> in the future.
Thank you very much for the hint.
More information about the List
mailing list