pFSense config
Cisco Config
Replace GigabitEthernet0/0
for your interface
Replace list 100 for your NAT list
Replace the Key and IP’s
Update the Access list to reflect your subnet’s
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXX address 1.2.3.4 no-xauth
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map PFSVPN 15 ipsec-isakmp
set peer 1.2.3.4
set transform-set 3DES-SHA
set pfs group2
match address encrypt-to-dc
!
interface GigabitEthernet0/0
Description WAN Interface
...
crypto map PFSVPN
ip nat inside source list 100 interface GigabitEthernet0/0 overload
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended encrypt-to-dc
permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
!