Date: Mon, 29 Aug 2011 06:34:53 -0500 From: jhall@socket.net To: mike@sentex.net Cc: freebsd-questions@freebsd.org Subject: Re: Re: Racoon to Cisco ASA 5505 Message-ID: <20110829113454.6FBCD106566C@hub.freebsd.org> References: <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net> <20110825155205.A0D131065670@hub.freebsd.org> <4E5696D0.3000205@sentex.net> <201108261742.p7QHgS2H095637@smtp1.sentex.ca> <4E57E2B1.9000508@sentex.net> <201108261840.p7QIebBP015777@smtp2.sentex.ca> <4E57EBED.7070900@sentex.net> <201108262052.p7QKqoTE002569@smtp2.sentex.ca> <4E5809A3.6020306@sentex.net> <201108262109.p7QL9dvU009914@smtp2.sentex.ca> <4E584A74.70608@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for all your help!! IT WORKS!!!!!!! One final question. If I want to clean up my racoon configuration file, instead of using sainfo anonymous can the following be used instead? sainfo address 10.129.0.0/16 any address 192.168.100.0/22 any Thank you again for all your help! Jay ---------------------------------------------------- >From : Mike Tancsa <mike@sentex.net> To : jhall@socket.net Subject : Re: Racoon to Cisco ASA 5505 Date : Fri, 26 Aug 2011 21:37:56 -0400 > On 8/26/2011 5:09 PM, jhall@socket.net wrote: > >> Yes, post that to the list. > >> > > > > I am not sure if this is the entire configuration or not, but this is what > > they have posted. > > > > > > crypto ipsec security-association lifetime seconds 28800 > > crypto ipsec security-association lifetime kilobytes 4608000 > > > > crypto map rackmap 201 match address 201 > > crypto map rackmap 201 set peer Jefferson_City > > crypto map rackmap 201 set transform-set ESP-3DES-SHA > > crypto map rackmap interface outside > > > > crypto isakmp identity address > > crypto isakmp enable outside > > crypto isakmp policy 10 > > authentication pre-share > > encryption 3des > > hash sha > > group 2 > > lifetime 86400 > > > > access-list 201 line 1 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.10.0 255.255.255.0 > > access-list 201 line 2 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.20.0 255.255.255.0 > > access-list 201 line 3 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.30.0 255.255.255.0 > > access-list 201 line 4 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.50.0 255.255.255.0 > > access-list 201 line 5 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.60.0 255.255.255.0 > > access-list 201 line 6 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.70.0 255.255.255.0 > > access-list 201 line 7 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.80.0 255.255.255.0 > > > Get rid of the gif interface as its not needed and make sure you match their policy's. And of course 1.1.1.1 is your actual public IP. > > > setkey -F > setkey -FP > setkey -f /etc/ipsec.conf > > where ipsec.conf has the info below > > spdadd 10.129.10.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.10.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.20.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.20.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.40.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.40.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.50.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.50.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > > > again, startup racoon with -d > start tcpdumping the outside interface with the flags -s0 -vvv host 184.106.120.244 > > From inside your network, > go to a machine that has an IP within the private range. e.g. 10.129.10.1 and ping the other side > > ping -S 10.129.10.1 192.160.100.1 > > ---Mike > > > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110829113454.6FBCD106566C>