This wiki is a community-maintained resource about everything there is to know about IPFire.
1. Create CryptoMaps from Cisco ASA side
In ASDM, setup Site2Site, part CrypotMaps, add IKE part, negotiation of VPN tunnel. Second part ESP, are data itself being transfered and encrypted. Please, have in mind, that there is no Peer IP address here, because IPFire is on dynamic IP address. I didn't use any Perfect Forward Secrecy, and i could, it's up to you.
In advanced settings, mark NAT-T, and set 8 hour keytime.
Last part of crypto map, are protected networks. Local network, network behind ASA, network 112, remote network, behind IPFire, network 120.
2. ACL, NAT i static route
Make an ACL, so they packets aren't dropped.
NAT new network 120.
Make static routeoutside_line 192.168.120.0 255.255.255.0 IPAddressMyGateway
3. Create tunnel from IPFire side
Basic settings, no IDs required.
Match you Advanced settings to crypto map.
If you go back to settings, you will see that no VPN tunnel is established.
4. Enter "The Debug"
Got to System Logs, and see logs for IPsec, and also see debug logs from ASA, we can see that IKE was success, but Phase two has not completed. Issue this command on ASA:
debug crypto isakmp 200
Restart IPSec on IPFire side, to make some traffic towards ASA. Stop debug on ASA.
IKE looks good.
ESP didn't completed.
SSh to IPFire and open up a ipsec.conf located in /var/Ipfire/vpn/ipsec.conf
Yes, we can see that our ESP setting only have one method, 3DES. Just add -sha to this line, and save file.
Restart your connection, and voila, you have a tunnel to your branch, using ASA and IPFire.
Older Revisions • September 19, 2018 at 2:25 am