Date: Thu, 25 Aug 2011 10:52:04 -0500 From: jhall@socket.net To: mike@sentex.net Cc: freebsd-questions@freebsd.org Subject: Re: Re: Racoon to Cisco ASA 5505 Message-ID: <20110825155205.A0D131065670@hub.freebsd.org> References: <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I find wireshark helpful in these cases as it nicely decodes what
> options are being set. Your racoon conf is set to obey. Its possible
> they are proposing something different to you that you accept, where as
> what you are proposing might not be acceptable
>
> ---Mike
My vendor came back to me today and stated they found a configuration
error on their end. Their most recent message states the traffic I am
sending to them through the IPSec tunnel is not encrypted.
Following is what they sent me from the ASA.
Crypto map tag: rackmap, seq num: 201, local addr: 184.106.120.244
access-list 201 extended permit ip 192.168.100.0 255.255.252.0
10.129.30.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (10.129.30.0/255.255.255.0/0/0)
current_peer: Jefferson_City
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 789, #pkts decrypt: 789, #pkts verify: 789
Crypto map tag: rackmap, seq num: 201, local addr: 184.106.120.244
access-list 201 extended permit ip 192.168.100.0 255.255.252.0
10.129.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (10.129.10.0/255.255.255.0/0/0)
current_peer: Jefferson_City
#pkts encaps: 112, #pkts encrypt: 112, #pkts digest: 112
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Usually this indicates that the encryption domains on both sides of the
VPN are not matched up exactly. If possible, please send us the encryption
domains and nat-exemptions you currently have configured on the other side
of the tunnel.
What concerns me is, if I am reading this correctly, traffic from
10.129.10.0/24 is not being encrypted and 10.129.10.40 is my end of the
tunnel. 10.129.30.0/24 lies behind the the 10.129.10.40 server.
Is it possible for me to check if traffic being sent over the IPSec tunnel
is being encrypted?
I am sorry if this is an extremely easy question, but I am really new to
IPSec.
Thank you to everyone for their help.
Jay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110825155205.A0D131065670>