Racoon to Cisco ASA 5505

jhall at socket.net jhall at socket.net
Fri Aug 26 18:40:37 UTC 2011 

----------------------------------------------------
> IP-IP interface ? (GIF). If you are using that, then you will need very
> different policies on both sides.  You should mention these little
> "details" when posting your configs.  Can you please post your FULL
> configuration / topology. Otherwise, its kind of impossible to know what
> the issue might be
> 
> 	---Mike

Connecting 10.129.0.0/16 to 192.168.100.0/22.  Their router is 
192.168.100.1, and my BSD box is 10.129.10.40. 

GIF is configured as follows.

gif21: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet 1.1.1.1 --> 184.106.120.244
	inet 10.129.10.40 --> 192.168.100.1 netmask 0xff000000 
	options=1<ACCEPT_REV_ETHIP_VER>

racoon.conf

remote 184.106.120.244
{
        exchange_mode main,base,aggressive;
#       exchange_mode main,passive;
        doi ipsec_doi;
        situation identity_only;
        mode_cfg on;
        my_identifier address 65.117.48.155;
#       certificate_type x509 "my.cert.pem" "my.key.pem";

#       nonce_size 16;
#       initial_contact on;
        lifetime time 86400 secs;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 1.1.1.1/32 any address 184.106.120.244 any
{
        pfs_group 2;
        encryption_algorithm 3des;
        lifetime time 28800 secs;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

setkey - only one site is shown since others are simply a copy of this 
one. 

spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec 
esp/tunnel/1.1.1.1-184.106.120.244/use; 
spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec 
esp/tunnel/184.106.120.244-1.1.1.1/use; 
spdadd 184.106.120.244/32 10.129.30.0/24 any -P in ipsec 
esp/tunnel/184.106.120.244-1.1.1.1/use; 
spdadd 10.129.30.0/24 184.106.120.244/32 any -P out ipsec 
esp/tunnel/184.106.120.244-1.1.1.1/use; 

route table - only the routes to the remote network are listed.
192.168.100.0/22   192.168.100.1      UGS         0      131  gif21
192.168.100.1      link#19            UH          0      185  gif21

Packet forwarding is enabled.
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

Firewall rules
pass in quick all
pass out quick all

What else is needed?

Thanks for all your help.



Jay

More information about the freebsd-questions mailing list