Oct 27, 2017 I've recently configured pfSense v.2.4.1-RELEASE (amd64) for VPN IPSec site-to-site tunnel to Cisco RV042G in mode Gateway but unfortunately it didn't work out as expected, and I'm not sure if the VPN issue is caused by either pfSense or Cisco side. I can ping from pfSense's LAN subnet/WAN IP to Cisco's WAN IP and Gateway but cannot ping from. The ASA is Cisco’s implementation of a firewall. Unlike pfSense, the Cisco ASA is mostly a dedicated firewall appliance although you have options for Intrusion Detection/Prevention System (IDS/IPS), URL filtering and malware protection. There are several models of the Cisco ASA depending on the size of the network and it also. In this guide, we are using Cisco AnyConnect version 4.7 and it has already been downloaded. Anyconnect-linux64-4.7.01076-predeploy-k9.tar.gz Extract Cisco AnyConnect Tarball. Once you have Cisco AnyConnect client tarball in place, extract it as follows; tar xzf anyconnect-linux64-4.7.01076-predeploy-k9.tar.gz.

pfSense, as of 2016-03-01, does not support OpenConnect out of the box. However, it’s in the FreeBSD repository, and relatively easy to add:

You can now play around with the openconnect command and test your connection.

Next step: Autostart, and adding the tun interface to the pfSense GUI. The GUI will, by default, ignore any interface named “tun*”, while openconnect will refuse to work with any interface not named “tun*”. Brilliant. The easiest workaround for this special case seems to be renaming the VPN interface after creation.

I made a script that automates checking if the connection is up, and (re-)starting it if it is not.
Replace the options in the “settings” section with appropriate values for your setup, and you should be good to go.

Cisco Anyconnect Pfsense App

The “test” field should be a command that returns 0 when the connection is up, and anything else when it’s broken. I used netcat’s port testing feature on the remote desktop port of a server I needed to be able to connect to, but you can just as easily use things like ping with a limited count or similar.

Next, use crontab -e and add an entry to run the script regularly.

Again, replace the path and timing with your own preferred values.

With the connection established, you can now go ahead and add the interface in the “assignment” tab of the GUI and set up appropriate rules for it.

CAUTION: Adding an interface that’s not available at boot time to the GUI will cause pfSense to think something is wrong on subsequent reboots and ask you to configure interfaces. I am not currently aware of a workaround for this, other than to not add the interface, controlling rules directly from the script instead. Please use the workaround below to avoid this issue, and make sure to verify that it works before leaving a pfSense box at a remote site unattended.

Cisco Anyconnect Pfsense

Interface boot workaround

The following workaround was offered by “DJC” in the comments section:

1. Install “Shellcmd” in PfSense WebConfigurator:
   System => Package Manager => Available Packages
   Find Shellcmd and INSTALL
2. Navigate to Shellcmd:
   Services => Shellcmd
3. Add the following item in Shellcmd:
   Command: /sbin/ifconfig tun create; /sbin/ifconfig tun0 name ocvpnc1
   Shellcmd Type: earlyshellcmd
   Description: Create tunnel interface for OVPNC1 at boot