Racoon to Cisco ASA 5505

jhall at socket.net jhall at socket.net
Fri Aug 26 18:40:37 UTC 2011

> IP-IP interface ? (GIF). If you are using that, then you will need very
> different policies on both sides.  You should mention these little
> "details" when posting your configs.  Can you please post your FULL
> configuration / topology. Otherwise, its kind of impossible to know what
> the issue might be
> 	---Mike

Connecting to  Their router is, and my BSD box is 

GIF is configured as follows.

gif21: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet -->
	inet --> netmask 0xff000000 


        exchange_mode main,base,aggressive;
#       exchange_mode main,passive;
        doi ipsec_doi;
        situation identity_only;
        mode_cfg on;
        my_identifier address;
#       certificate_type x509 "my.cert.pem" "my.key.pem";

#       nonce_size 16;
#       initial_contact on;
        lifetime time 86400 secs;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;

sainfo address any address any
        pfs_group 2;
        encryption_algorithm 3des;
        lifetime time 28800 secs;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;

setkey - only one site is shown since others are simply a copy of this 

spdadd any -P out ipsec 
spdadd any -P in ipsec 
spdadd any -P in ipsec 
spdadd any -P out ipsec 

route table - only the routes to the remote network are listed.      UGS         0      131  gif21      link#19            UH          0      185  gif21

Packet forwarding is enabled.
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

Firewall rules
pass in quick all
pass out quick all

What else is needed?

Thanks for all your help.


More information about the freebsd-questions mailing list