Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Aug 2011 21:49:13 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        jhall@socket.net
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Racoon to Cisco ASA 5505
Message-ID:  <4E545899.6090800@sentex.net>
In-Reply-To: <20110823232242.B78A5106566B@hub.freebsd.org>
References:  <20110823232242.B78A5106566B@hub.freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 8/23/2011 7:22 PM, jhall@socket.net wrote:
> I have run into a weird situation, and I do not know if the problem lies 
> on my side of the connection or my vendors. 
> 
> The tunnel comes up only after the vendor sends traffic to me.  My side of 
> the tunnel shows up and using tcpdump, I see packets flowing out the 
> correct interface, to the correct IP address, but nothing is returned 
> until the device(s) behind the vendor's ASA attempt to send traffic to me. 
> 
> Attached is the relevant output from setkey -DP
> 
> 10.129.10.0/24[any] 192.168.100.0/22[any] any
> 	out ipsec
> 	esp/tunnel/1.1.1.1-2.2.2.2/use
> 	spid=357 seq=7 pid=12885
> 	refcnt=1
> 10.129.80.0/24[any] 192.168.100.0/22[any] any
> 	out ipsec
> 	esp/tunnel/1.1.1.1-2.2.2.2/use
> 	spid=359 seq=6 pid=12885
> 	refcnt=1
> 
> I am using anonymous because, if I am reading the logs right, that is 
> being requested. 
> 
> I am using a PF firewall with pass in quick and pass out quick rules.  
> This is just for testing and will be tightened later. 
> 
> What additional information is needed?
> 

pfctl -d and then try just to totally rule out pf. Also, which pf its
helpful to always log everything, including pass as it helps in to
narrow down issues. If its still not working, show the output of the
tunnel coming up when the other side initiates the tunnel and then show
the tcdump of when you try and initiate it.  tcpdump -s0 -vvv -ni
<interface> port 500

I find wireshark helpful in these cases as it nicely decodes what
options are being set.  Your racoon conf is set to obey. Its possible
they are proposing something different to you that you accept, where as
what you are proposing might not be acceptable

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4E545899.6090800>