Racoon to Cisco ASA 5505

jhall at socket.net jhall at socket.net
Tue Aug 23 23:22:42 UTC 2011


I have run into a weird situation, and I do not know if the problem lies 
on my side of the connection or my vendors. 

The tunnel comes up only after the vendor sends traffic to me.  My side of 
the tunnel shows up and using tcpdump, I see packets flowing out the 
correct interface, to the correct IP address, but nothing is returned 
until the device(s) behind the vendor's ASA attempt to send traffic to me. 

Attached is the relevant output from setkey -DP

10.129.10.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=357 seq=7 pid=12885
	refcnt=1
10.129.80.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=359 seq=6 pid=12885
	refcnt=1
10.129.20.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=361 seq=5 pid=12885
	refcnt=1
10.129.30.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=363 seq=4 pid=12885
	refcnt=1
10.129.40.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=365 seq=3 pid=12885
	refcnt=1
10.129.60.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=367 seq=2 pid=12885
	refcnt=1
10.129.50.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=369 seq=1 pid=12885
	refcnt=1
10.129.70.0/24[any] 192.168.100.0/22[any] any
	out ipsec
	esp/tunnel/1.1.1.1-2.2.2.2/use
	spid=371 seq=0 pid=12885
	refcnt=1

192.168.100.0/22[any] 10.129.10.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=358 seq=18 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.80.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=360 seq=17 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.20.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=362 seq=16 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.30.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=364 seq=15 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.40.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=366 seq=14 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.50.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=368 seq=13 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.60.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=370 seq=12 pid=12885
	refcnt=1
192.168.100.0/22[any] 10.129.70.0/24[any] any
	in ipsec
	esp/tunnel/2.2.2.2-1.1.1.1/use
	spid=372 seq=11 pid=12885


Following are the entries from racoon.conf.  The padding, etc. was left at 
the default. 

remote anonymous
{
        exchange_mode main,base,aggressive;
#       exchange_mode main,passive;
        doi ipsec_doi;
        proposal_check obey;
        situation identity_only;
        mode_cfg on;
        my_identifier address ;
#       certificate_type x509 "my.cert.pem" "my.key.pem";

#       nonce_size 16;
#       initial_contact on;
        proposal_check obey;    # obey, strict, or claim
        lifetime time 86400 secs;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo anonymous
{
        pfs_group 2;
        encryption_algorithm 3des;
        lifetime time 28800 secs;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

I am using anonymous because, if I am reading the logs right, that is 
being requested. 

I am using a PF firewall with pass in quick and pass out quick rules.  
This is just for testing and will be tightened later. 

What additional information is needed?

Thanks in advance for all your help.



Jay



More information about the freebsd-questions mailing list