IPSec VPN between eSoft InstaGate and Cisco ASA
Overview
The Cisco ASA is a consumer grade SOHO broadband router with VPN capability, and is common in home and small ( fewer than 10 user ) business offices. This guide's aim is to help the eSoft InstaGate administrator create a Remote Office (IPSec) VPN tunnel to this Cisco device.
Several parameters use different nomenclature to describe the settings used for configuring a VPN, and this document will try to clarify those differences to guide you to a working configuration.
Please note that this configuration guide pertains only to the Cisco ASA appliance - configuration in other Cisco equipment may be considerably different. Also note that this is a SUGGESTED configuration and may not work in every situation.
InstaGate Configuration
Configuration on the InstaGate is fairly simple, using the default IPSec and IKE parameters. You should simply need to define your Shared Secret and the Remote Gateway and Remote Network addresses or subnet ranges.
1. To begin, log into your InstaGate's administrator interface, and browse to Firewall > Remote Office VPNs
2. Click the Add button to create a new tunnel. Assign an appropriate Name, choose your tunnel type (Local Network to Remote Network by default), and ensure Key Management is set to Automatic (Shared Secret).
3. The Local Network should be populated with your LAN data by default, modify this if you need to restrict access to a particular subnet or host on your LAN, otherwise leave the default.
4. The Remote Gateway IP Address will be the Publc (WAN) IP address of the Cisco ASA device. The Remote Network will be the LAN network or host behind the Cisco device to which you wish to connect.
5. Supply a Shared Secret - this value must be identical on both devices, this is the 'password' which allows IPSec VPN to verify the authenticity of the remote device.
6. Finally, click Apply to finish setting up the tunnel.
You should not need to modify the IKE advanced settings on this tunnel. The following screenshot shows the defaults for this page in case you need to revert changes:
7. Click the IPSec button.
8. Disable PFS and set the Key Refresh to 8 hours.
Cisco ASA Configuration
The Cisco device follows the same IPSec VPN conventions used by eSoft devices, however the default settings differ.
1. First, browse to the Wizards menu and select VPN Wizard to begin creating a new connection.
2. Select Site-to-Site.
3. Change VPN Tunnel Interface to "outside".
4. Click Next.
5. Enter the Remote Gateway IP Address in the Peer IP Address field.
6. For "Authentication Method", select Pre-Shared Key and enter the shared secret that you used on the InstaGate.
7. If not already filled in, Enter the Remote Gateway IP Address in the Tunnel Group Name field.
8. Click Next.
9. Set Encryption to 3DES
10. Set Authentication to SHA1
11. Set DH Group to 2
12. Click Next.
13. Set Encryption to 3DES
14. Set Authentication to SHA1
15. Click Next.
16. Under the "Source" section, please enter the following information:
- Type - IP Address
- IP Address - The local IP Subnet for the Cisco
- Netmask - The local Subnet Mask for the Cisco
17. Under the "Destination" section, please enter the following information:
- Type - IP Address
- IP Address - The local IP Subnet for the InstaGate
- Netmask - The local Subnet Mask for the InstaGate
18. Click Next.
19. Confirm that all Settings are correct and then click Finish.
Troubleshooting
Diagnosing and troubleshooting IPSec VPN connections can be fairly complex. If you cannot establish a VPN tunnel between these devices and you've followed the configuration outlined above, please contact technical support, or get more help at eSoft's Knowledge Base
