Racoon to Cisco ASA 5505
jhall at socket.net
jhall at socket.net
Tue Aug 23 23:22:42 UTC 2011
I have run into a weird situation, and I do not know if the problem lies
on my side of the connection or my vendors.
The tunnel comes up only after the vendor sends traffic to me. My side of
the tunnel shows up and using tcpdump, I see packets flowing out the
correct interface, to the correct IP address, but nothing is returned
until the device(s) behind the vendor's ASA attempt to send traffic to me.
Attached is the relevant output from setkey -DP
10.129.10.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=357 seq=7 pid=12885
refcnt=1
10.129.80.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=359 seq=6 pid=12885
refcnt=1
10.129.20.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=361 seq=5 pid=12885
refcnt=1
10.129.30.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=363 seq=4 pid=12885
refcnt=1
10.129.40.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=365 seq=3 pid=12885
refcnt=1
10.129.60.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=367 seq=2 pid=12885
refcnt=1
10.129.50.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=369 seq=1 pid=12885
refcnt=1
10.129.70.0/24[any] 192.168.100.0/22[any] any
out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/use
spid=371 seq=0 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.10.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=358 seq=18 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.80.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=360 seq=17 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.20.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=362 seq=16 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.30.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=364 seq=15 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.40.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=366 seq=14 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.50.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=368 seq=13 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.60.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=370 seq=12 pid=12885
refcnt=1
192.168.100.0/22[any] 10.129.70.0/24[any] any
in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/use
spid=372 seq=11 pid=12885
Following are the entries from racoon.conf. The padding, etc. was left at
the default.
remote anonymous
{
exchange_mode main,base,aggressive;
# exchange_mode main,passive;
doi ipsec_doi;
proposal_check obey;
situation identity_only;
mode_cfg on;
my_identifier address ;
# certificate_type x509 "my.cert.pem" "my.key.pem";
# nonce_size 16;
# initial_contact on;
proposal_check obey; # obey, strict, or claim
lifetime time 86400 secs;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 28800 secs;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
I am using anonymous because, if I am reading the logs right, that is
being requested.
I am using a PF firewall with pass in quick and pass out quick rules.
This is just for testing and will be tightened later.
What additional information is needed?
Thanks in advance for all your help.
Jay
More information about the freebsd-questions
mailing list