Racoon to Cisco ASA 5505
jhall at socket.net
jhall at socket.net
Fri Aug 26 17:42:29 UTC 2011
I am seeing a couple of things that are concerning me.
First, I am not seeing any traffic over the gif interface, except return
traffic. For example if I ping from one of my sites (e.g.
10.129.30.0/24), I do not see any traffic on the gif interface.
Second, I am seeing the following error message, "Header checksum: 0X0000
[incorrect, should be 0x8d84 (maybe caused by "IP Checksum Offload?)].
I spoke to our vendor this morning, an they are seeing encrypted packets
flowing to them. However, I am not able to ping their devices until they
initiate the traffic. This is when I am not seeing any traffic on the gif
Following are the policies I have defined for the 10.129.30 network. All
policies are a copy of these with the correct networks added.
spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec
spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec
spdadd 184.108.40.206/32 10.129.30.0/24 any -P in ipsec
spdadd 10.129.30.0/24 220.127.116.11/32 any -P out ipsec
Thank you for all your help. If you would like the results of the capture
posted, please let me know and I will post them as well.
>From : Mike Tancsa <mike at sentex.net>
To : jhall at socket.net
Subject : Re: Racoon to Cisco ASA 5505
Date : Thu, 25 Aug 2011 14:39:12 -0400
> On 8/25/2011 11:52 AM, jhall at socket.net wrote:
> >> I find wireshark helpful in these cases as it nicely decodes what
> >> options are being set. Your racoon conf is set to obey. Its possible
> >> they are proposing something different to you that you accept, where
> >> what you are proposing might not be acceptable
> > My vendor came back to me today and stated they found a configuration
> > error on their end. Their most recent message states the traffic I am
> > sending to them through the IPSec tunnel is not encrypted.
> What does your actual policy look like ? Is this the only ipsec config
> on your box ? If so, lets say your public IP is 18.104.22.168 and their ip is
> try adding this to /etc/ipsec.conf
> spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec
> spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec
> do a
> setkey -F
> setkey -FP
> setkey -f /etc/ipsec.conf
> This is saying that you will create an ipsec policy between 2 networks.
> Your side behind 22.214.171.124 and their side behind 126.96.36.199.
> The policy states that packets with a source address of 10.129.30.0/24
> destined to 192.168.100.0/22 will be encapsulated in an ipsec tunnel.
> Similarly, everything going the other direction - 192.168.100.0/22 going
> to 10.129.30.0/24... And *only* those packets. If you have a packet
> with a source address of 10.0.0.1 destined to 192.168.100.0/22, it will
> not be passed through the tunnel.
> > Following is what they sent me from the ASA.
> > Crypto map tag: rackmap, seq num: 201, local addr: 188.8.131.52
> > access-list 201 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.30.0 255.255.255.0
> > local ident (addr/mask/prot/port):
> > remote ident (addr/mask/prot/port):
> > current_peer: Jefferson_City
> You then need to make sure your key exchange settings agree. Ask them
> for that portion of the ASA's config.
> You are proposing
> exchange_mode main,base,aggressive;
> You are known to them by IP (my_identifier address)
> You should probably add
> peers_identifier address;
> and then make sure in your psk.txt file you have something like
> 184.108.40.206 the-secret-psk-you-agreed-on
> Also, make sure their side is expecting 3des and hmac is sha1 or md5 as
> you posted in your original config.
> On your public wan interface, do a tcpdump of the remote IP. e.g. if its
> em0, do
> tcpdump -ni em0 -s0 -w /tmp/186.pcap host 220.127.116.11
> startup racoon with the debug flag
> and from your network, try and ping an IP in their private network from
> your private network
> ping -S 10.129.30.1 192.168.100.1
> When testing ipsec, get in the habbit of ALWAYS specifying the source IP
> so that you know the packet you are generating falls within the policy
> you have specified.
> If things dont work, look at the racoon logs for clues as well as look
> at the pcap afterwards with -vvvv
> tcpdump -vvvv -nr /tmp/186.pcap port 500
> if it worked and you get a ping response, look at the full traffic to
> make sure its ESP and that the contents are indeed encrypted.
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions