This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!
Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.
1. Create CryptoMaps from Cisco ASA side
In ASDM, setup Site2Site, part CrypotMaps, add IKE part, negotiation of VPN tunnel. Second part ESP, are data itself being transfered and encrypted. Please, have in mind, that there is no Peer IP address here, because IPFire is on dynamic IP address. I didn't use any Perfect Forward Secrecy, and i could, it's up to you.
In advanced settings, mark NAT-T, and set 8 hour keytime.
Last part of crypto map, are protected networks. Local network, network behind ASA, network 112, remote network, behind IPFire, network 120.
2. ACL, NAT i static route
Make an ACL, so they packets aren't dropped.
NAT new network 120.
Make static routeoutside_line 192.168.120.0 255.255.255.0 IPAddressMyGateway
3. Create tunnel from IPFire side
Basic settings, no IDs required.
Match you Advanced settings to crypto map.
If you go back to settings, you will see that no VPN tunnel is established.
4. Enter "The Debug"
Got to System Logs, and see logs for IPsec, and also see debug logs from ASA, we can see that IKE was success, but Phase two has not completed. Issue this command on ASA:
debug crypto isakmp 200
Restart IPSec on IPFire side, to make some traffic towards ASA. Stop debug on ASA.
IKE looks good.
ESP didn't completed.
SSh to IPFire and open up a ipsec.conf located in /var/Ipfire/vpn/ipsec.conf
Yes, we can see that our ESP setting only have one method, 3DES. Just add -sha to this line, and save file.
Restart your connection, and voila, you have a tunnel to your branch, using ASA and IPFire.