IPSec VPN Cisco - PfSense

From OISecWiki

Here are some examples to configure an IPsec vpn between pfSense and Cisco IOS (based on Cisco 921-4P) version 15.8(3)M2

We are setting up a VPN between 10.255.255.2 (Cisco IOS) and 10.255.255.1 (pfSense). The local subnets on the IOS side are 10.248.0.0/24 and we want to reach 10.0.0.0/8 on the pfsense side.

This is based on IKEv2 with AES-GCM-128 / SHA256 and DH Group 14(2048)

Config on Cisco IOS:

 crypto ikev2 proposal prop-vpn01
  encryption aes-gcm-128
  prf sha256
  group 14
 !
 crypto ikev2 policy pol-vpn01
  match fvrf any
  proposal prop-vpn01
 !
 crypto ikev2 keyring key-vpn01
 peer pfsense
  address 10.255.255.1
  pre-shared-key local SUPER_SECRET
  pre-shared-key remote SUPER_SECRET
 !
 crypto ikev2 profile ios-to-pfsense
  match fvrf any
  match identity remote address 10.255.255.1 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local key-vpn01
  lifetime 28800
  dpd 10 10 periodic
 !
 crypto ipsec transform-set AES128-GCM-SHA256-14 esp-gcm
  mode tunnel
 !
 crypto map ipsec-vpn01 10 ipsec-isakmp
  set peer 10.255.255.1
  set security-association lifetime seconds 28800
  set transform-set AES128-GCM-SHA256-14
  set ikev2-profile ios-to-pfsense
  match address vpn-tunnel-nets
 !
 interface GigabitEthernet5
  ip address dhcp
  duplex auto
  speed auto
  crypto map ipsec-vpn01
 !
 ip access-list extended vpn-tunnel-nets
  permit ip 10.248.0.0 0.0.0.255 10.0.0.0 0.255.255.255

Don't forget NAT Exempt rules in your NAT access-lists for the tunnel nets.

pfSense configuration to follow