Written on 2016-02-28 14:33:03
I fear I will need something like that soon, so here's a dump I found on google somewhere else: (None of the following is from me! But from here)
Table 1 Preconfiguration Checklist: ISAKMP/Phase-1 Attributes
Attribute Value Encryption AES 128-bit Hashing SHA-1 Authentication method Preshared keys DH group Group 2 1024-bit field Lifetime 86,400 seconds
We will use main mode rather than aggressive mode for negotiation. IPsec Phase 2 attributes are used to encrypt and decrypt the actual data traffic.
Table 2 Preconfiguration Checklist: IPsec/Phase-2 Attributes
Attribute Value Encryption AES 128-bit Hashing SHA-1 Lifetime 28,800 seconds4,608,000 kB Mode Tunnel PFS group None
Now that we have determined what Phase 1 and Phase 2 attributes to use, we’re ready to configure IPsec. We assume that all IP addresses are already configured and basic connectivity exists between Cisco ASA and pfSense firewall.
! IPsec ISAKMP Phase 1 crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 exit ! crypto ikev1 enable outside tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 ipsec-attributes ikev1 pre-shared-key Cisc0 ! IPsec Phase 2 crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac ! access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 ! crypto map outside_map 10 match address outside_cryptomap_10 crypto map outside_map 10 set peer 22.214.171.124 crypto map outside_map 10 set ikev1 transform-set pfSense-AES128SHA crypto map outside_map interface outside