Short for IP Security, IPSec is an Internet Engineering Taskforce (IETF) standard suite of protocols between 2 communication points across an IP network that provide data authentication, integrity, and confidentiality. It is supported by different vendors. OpenSSL can still be preferred over IPSec.
Feb 16, 2016 The Cisco ASAv is a game changer in the software-defined networking world, and iland is a seasoned veteran when it comes to migrating customers off of hardware networking devices. The reliability, redundancy, speed, and ease is what we’ve all wanted in our networking job, and iland has found a way to turn that pipe dream into reality. The ASAv is a virtualized network security solution that provides policy enforcement and threat inspection across heterogeneous, multisite environments. ASA firewall and VPN capabilities help safeguard traffic and multitenant architectures. Available in most hypervisor environments, the Cisco ASAv can be deployed exactly where it is needed to. How to deploy Cisco ASAv in Azure and the gotchas discovered during setup. Cisco, like many vendors, do have a marketplace image available to deploy, so this was an obvious starting point for us to test from. Deployment is simple as ever with some basic information needed, subnets, credentials, version etc. Cisco ASAv can also scale up/down to meet the needs of dynamic environments. High availability provides resilience. Consistent security everywhere. Gain consistent security policies, enforcement and protection across your physical, virtual, and cloud environments. Cisco ASAv provides advanced protocol inspection, including voice and video. Cisco ASAv is the virtualized version of Cisco's Adaptive Security Appliance (ASA) firewall. HIGH PERFORMANCE, SCALABLE SECURITY Ideal for remote worker and multi-tenant environments. By leveraging AWS route 53, Cisco ASAv delivers scalable remote access VPN, along with site-to-site, and clientless VPN options.
We are going to configure an IPSec VPN between a Cisco ASA and a pfSense Firewall. Cisco ASA is a Cisco proprietary firewall that provides VPN/Firewall solutions to small, medium and large enterprises. The pfSense Firewall on the other hand is a free and open source distribution of FreeBSD customized for use as a firewall and router. pfSense is lightweight and can be installed on a PC with two NICs. You can get a copy of your pfSense from here. At the time of this writing, the latest version is v2.4.4.
In this lab, we will configure a Site-to-Site IPSec VPN between a Cisco ASAv and a pfSense Firewall.
Prerequisites
- Cisco ASAv with configured interfaces, ASDM as well as other basic configurations.
- pfSense Firewall, WAN and LAN configured interfaces.
- IP Addressing and ensure connectivity between the ASAv appliance and pfSense.
- Basic routing configuration on the Cisco L3 router for internet access.
Build the topology on EVE-NG
I have built the topology on my EVE-NG lab and configured the two firewalls.
- Cisco ASAv
- 2 x Cisco Multi-layer switch images (you can still use a layer 2 switch image. It’s not very necessary to use L3)
- pfSense Firewall
- Internet Router. Cisco L3 image.
- A Cloud image (management(Cloud0)) that will connect both Site A and Site B to the internet through our Internet Router.
We are going to have two Sites. Site A and Site B that are going to be connected to an internet router which will provide some routing to the internet.
In our next step, we will set up a site-to-site ipsec vpn between the two sites that use different firewall solutions from two giant vendors.
Set up site-to-site IPSec implementation
There are two phases in IPSec implementation. Phase 1 and Phase 2.
ISAKMP/Phase 1 attributes are used to authenticate and create a secure tunnel over which IPsec/Phase 2 parameters are negotiated.
We will begin by configuring the our ASAv with the phase I and phase II attributes.
IPSec ISAKMP Phase I
IPSec Phase II
That’s it from our ASAv side of things. Lets jump to our pfSense firewall on Site B
Phase I
Login in to the pfSense web configurator and navigate to VPN > IPsec
Click on Add P1 on the Tunnels tab which we are going to add our Phase I attributes as below.
Leave the rest as is and save your changes. Once done you should have Phase I set up as below
Phase II
Click on Show Phase 2 Entries button and click on Add P2 to add our phase 2 attributes
Next configure your IPSec phase 2 attributes as below.
Click the Save button to save changes and go back to the Tunnels tab where you can view a summary of your Phase 1 and Phase 2 configuration.
Our IPSec configuration is complete on both ends. To very this we are going to check the vpn connection status on the pfsense firewall as well as on the show ipsec status on the ASA firewall. To do that, on the pfsense menu, go to Status > Ipsec and click on Connect VPN button. Connection should be established.
If you followed keenly on the configuration, you should get an established connection from the pfsense above as well as the ASAv firewall below
In our ASAv firewall, we can issue the below command to confirm our ipsec status
Cisco Asav Configuration
That marks the end of our lab: Configuring Site-to-Site IPsec VPN between Cisco ASAv and pfSense Firewall.