Racoon to Cisco ASA 5505
jhall at socket.net
jhall at socket.net
Mon Aug 29 11:34:54 UTC 2011
Thank you for all your help!! IT WORKS!!!!!!!
One final question. If I want to clean up my racoon configuration file,
instead of using sainfo anonymous can the following be used instead?
sainfo address 10.129.0.0/16 any address 192.168.100.0/22 any
Thank you again for all your help!
Jay
----------------------------------------------------
>From : Mike Tancsa <mike at sentex.net>
To : jhall at socket.net
Subject : Re: Racoon to Cisco ASA 5505
Date : Fri, 26 Aug 2011 21:37:56 -0400
> On 8/26/2011 5:09 PM, jhall at socket.net wrote:
> >> Yes, post that to the list.
> >>
> >
> > I am not sure if this is the entire configuration or not, but this is
what
> > they have posted.
> >
> >
> > crypto ipsec security-association lifetime seconds 28800
> > crypto ipsec security-association lifetime kilobytes 4608000
> >
> > crypto map rackmap 201 match address 201
> > crypto map rackmap 201 set peer Jefferson_City
> > crypto map rackmap 201 set transform-set ESP-3DES-SHA
> > crypto map rackmap interface outside
> >
> > crypto isakmp identity address
> > crypto isakmp enable outside
> > crypto isakmp policy 10
> > authentication pre-share
> > encryption 3des
> > hash sha
> > group 2
> > lifetime 86400
> >
> > access-list 201 line 1 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.10.0 255.255.255.0
> > access-list 201 line 2 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.20.0 255.255.255.0
> > access-list 201 line 3 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.30.0 255.255.255.0
> > access-list 201 line 4 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.50.0 255.255.255.0
> > access-list 201 line 5 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.60.0 255.255.255.0
> > access-list 201 line 6 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.70.0 255.255.255.0
> > access-list 201 line 7 extended permit ip 192.168.100.0 255.255.252.0
> > 10.129.80.0 255.255.255.0
>
>
> Get rid of the gif interface as its not needed and make sure you match
their policy's. And of course 1.1.1.1 is your actual public IP.
>
>
> setkey -F
> setkey -FP
> setkey -f /etc/ipsec.conf
>
> where ipsec.conf has the info below
>
> spdadd 10.129.10.0/24 192.168.100.0/22 any -P out ipsec
esp/tunnel/1.1.1.1-184.106.120.244/unique;
> spdadd 192.168.100.0/22 10.129.10.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/unique;
> spdadd 10.129.20.0/24 192.168.100.0/22 any -P out ipsec
esp/tunnel/1.1.1.1-184.106.120.244/unique;
> spdadd 192.168.100.0/22 10.129.20.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/unique;
> spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec
esp/tunnel/1.1.1.1-184.106.120.244/unique;
> spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/unique;
> spdadd 10.129.40.0/24 192.168.100.0/22 any -P out ipsec
esp/tunnel/1.1.1.1-184.106.120.244/unique;
> spdadd 192.168.100.0/22 10.129.40.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/unique;
> spdadd 10.129.50.0/24 192.168.100.0/22 any -P out ipsec
esp/tunnel/1.1.1.1-184.106.120.244/unique;
> spdadd 192.168.100.0/22 10.129.50.0/24 any -P in ipsec
esp/tunnel/184.106.120.244-1.1.1.1/unique;
>
>
> again, startup racoon with -d
> start tcpdumping the outside interface with the flags -s0 -vvv host
184.106.120.244
>
> From inside your network,
> go to a machine that has an IP within the private range. e.g.
10.129.10.1 and ping the other side
>
> ping -S 10.129.10.1 192.160.100.1
>
> ---Mike
>
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions
mailing list