Racoon to Cisco ASA 5505
jhall at socket.net
jhall at socket.net
Fri Aug 26 18:40:37 UTC 2011
----------------------------------------------------
> IP-IP interface ? (GIF). If you are using that, then you will need very
> different policies on both sides. You should mention these little
> "details" when posting your configs. Can you please post your FULL
> configuration / topology. Otherwise, its kind of impossible to know what
> the issue might be
>
> ---Mike
Connecting 10.129.0.0/16 to 192.168.100.0/22. Their router is
192.168.100.1, and my BSD box is 10.129.10.40.
GIF is configured as follows.
gif21: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 1.1.1.1 --> 184.106.120.244
inet 10.129.10.40 --> 192.168.100.1 netmask 0xff000000
options=1<ACCEPT_REV_ETHIP_VER>
racoon.conf
remote 184.106.120.244
{
exchange_mode main,base,aggressive;
# exchange_mode main,passive;
doi ipsec_doi;
situation identity_only;
mode_cfg on;
my_identifier address 65.117.48.155;
# certificate_type x509 "my.cert.pem" "my.key.pem";
# nonce_size 16;
# initial_contact on;
lifetime time 86400 secs;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 1.1.1.1/32 any address 184.106.120.244 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 28800 secs;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
setkey - only one site is shown since others are simply a copy of this
one.
spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec
esp/tunnel/1.1.1.1-184.106.120.244/use;
spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/use;
spdadd 184.106.120.244/32 10.129.30.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/use;
spdadd 10.129.30.0/24 184.106.120.244/32 any -P out ipsec
esp/tunnel/184.106.120.244-1.1.1.1/use;
route table - only the routes to the remote network are listed.
192.168.100.0/22 192.168.100.1 UGS 0 131 gif21
192.168.100.1 link#19 UH 0 185 gif21
Packet forwarding is enabled.
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1
Firewall rules
pass in quick all
pass out quick all
What else is needed?
Thanks for all your help.
Jay
More information about the freebsd-questions
mailing list