IPSec VPN Cisco - PfSense
From OISecWiki
Here are some examples to configure an IPsec vpn between pfSense and Cisco IOS (based on Cisco 921-4P) version 15.8(3)M2
We are setting up a VPN between 10.255.255.2 (Cisco IOS) and 10.255.255.1 (pfSense). The local subnets on the IOS side are 10.248.0.0/24 and we want to reach 10.0.0.0/8 on the pfsense side.
This is based on IKEv2 with AES-GCM-128 / SHA256 and DH Group 14(2048)
Config on Cisco IOS:
crypto ikev2 proposal prop-vpn01 encryption aes-gcm-128 prf sha256 group 14 ! crypto ikev2 policy pol-vpn01 match fvrf any proposal prop-vpn01 ! crypto ikev2 keyring key-vpn01 peer pfsense address 10.255.255.1 pre-shared-key local SUPER_SECRET pre-shared-key remote SUPER_SECRET ! crypto ikev2 profile ios-to-pfsense match fvrf any match identity remote address 10.255.255.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local key-vpn01 lifetime 28800 dpd 10 10 periodic ! crypto ipsec transform-set AES128-GCM-SHA256-14 esp-gcm mode tunnel ! crypto map ipsec-vpn01 10 ipsec-isakmp set peer 10.255.255.1 set security-association lifetime seconds 28800 set transform-set AES128-GCM-SHA256-14 set ikev2-profile ios-to-pfsense match address vpn-tunnel-nets ! interface GigabitEthernet5 ip address dhcp duplex auto speed auto crypto map ipsec-vpn01 ! ip access-list extended vpn-tunnel-nets permit ip 10.248.0.0 0.0.0.255 10.0.0.0 0.255.255.255
Don't forget NAT Exempt rules in your NAT access-lists for the tunnel nets.
pfSense configuration to follow