VPN IPSec using Cisco ASA and IPFIRE

1. Create CryptoMaps from Cisco ASA side

In ASDM, setup Site2Site, part CrypotMaps, add IKE part, negotiation of VPN tunnel. Second part ESP, are data itself being transfered and encrypted. Please, have in mind, that there is no Peer IP address here, because IPFire is on dynamic IP address. I didn't use any Perfect Forward Secrecy, and i could, it's up to you.

In advanced settings, mark NAT-T, and set 8 hour keytime.

Last part of crypto map, are protected networks. Local network, network behind ASA, network 112, remote network, behind IPFire, network 120.

2. ACL, NAT i static route

Make an ACL, so they packets aren't dropped.

NAT new network 120.

Make static routeoutside_line IPAddressMyGateway

3. Create tunnel from IPFire side

Basic settings, no IDs required.

Match you Advanced settings to crypto map.

If you go back to settings, you will see that no VPN tunnel is established.

4. Enter "The Debug"

Got to System Logs, and see logs for IPsec, and also see debug logs from ASA, we can see that IKE was success, but Phase two has not completed. Issue this command on ASA:

debug crypto isakmp 200

Restart IPSec on IPFire side, to make some traffic towards ASA. Stop debug on ASA.
undebug all

IKE looks good.

ESP didn't completed.

SSh to IPFire and open up a ipsec.conf located in /var/Ipfire/vpn/ipsec.conf

Yes, we can see that our ESP setting only have one method, 3DES. Just add -sha to this line, and save file.

Restart your connection, and voila, you have a tunnel to your branch, using ASA and IPFire.

Edit Page ‐ Yes, you can edit!

Older Revisions • September 19, 2018 at 2:25 am • Jon