Racoon to Cisco ASA 5505
Mike Tancsa
mike at sentex.net
Sat Aug 27 01:38:06 UTC 2011
On 8/26/2011 5:09 PM, jhall at socket.net wrote:
>> Yes, post that to the list.
>>
>
> I am not sure if this is the entire configuration or not, but this is what
> they have posted.
>
>
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
>
> crypto map rackmap 201 match address 201
> crypto map rackmap 201 set peer Jefferson_City
> crypto map rackmap 201 set transform-set ESP-3DES-SHA
> crypto map rackmap interface outside
>
> crypto isakmp identity address
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
>
> access-list 201 line 1 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.10.0 255.255.255.0
> access-list 201 line 2 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.20.0 255.255.255.0
> access-list 201 line 3 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.30.0 255.255.255.0
> access-list 201 line 4 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.50.0 255.255.255.0
> access-list 201 line 5 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.60.0 255.255.255.0
> access-list 201 line 6 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.70.0 255.255.255.0
> access-list 201 line 7 extended permit ip 192.168.100.0 255.255.252.0
> 10.129.80.0 255.255.255.0
Get rid of the gif interface as its not needed and make sure you match their policy's. And of course 1.1.1.1 is your actual public IP.
setkey -F
setkey -FP
setkey -f /etc/ipsec.conf
where ipsec.conf has the info below
spdadd 10.129.10.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.10.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.20.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.20.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.40.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.40.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.50.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.50.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
again, startup racoon with -d
start tcpdumping the outside interface with the flags -s0 -vvv host 184.106.120.244
>From inside your network,
go to a machine that has an IP within the private range. e.g. 10.129.10.1 and ping the other side
ping -S 10.129.10.1 192.160.100.1
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions
mailing list