From owner-freebsd-questions@FreeBSD.ORG Thu Aug 25 15:52:05 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D131065670 for ; Thu, 25 Aug 2011 15:52:05 +0000 (UTC) (envelope-from jhall@socket.net) Received: from mf1.socket.net (mf1g.socket.net [216.106.88.71]) by mx1.freebsd.org (Postfix) with ESMTP id 820518FC0C for ; Thu, 25 Aug 2011 15:52:05 +0000 (UTC) Received: from localhost (unknown [216.106.88.17]) by mf1.socket.net (Postfix) with SMTP id 6AF1B45930; Thu, 25 Aug 2011 10:52:04 -0500 (CDT) To: mike@sentex.net From: jhall@socket.net X-Apparently-from: jhall@mail.socket.net X-Remote-Host: 174.34.27.163 User-Agent: Socket WebMail References: <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net> Date: Thu, 25 Aug 2011 10:52:04 -0500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <20110825155205.A0D131065670@hub.freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: Re: Racoon to Cisco ASA 5505 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jhall@socket.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2011 15:52:05 -0000 > I find wireshark helpful in these cases as it nicely decodes what > options are being set. Your racoon conf is set to obey. Its possible > they are proposing something different to you that you accept, where as > what you are proposing might not be acceptable > > ---Mike My vendor came back to me today and stated they found a configuration error on their end. Their most recent message states the traffic I am sending to them through the IPSec tunnel is not encrypted. Following is what they sent me from the ASA. Crypto map tag: rackmap, seq num: 201, local addr: 184.106.120.244 access-list 201 extended permit ip 192.168.100.0 255.255.252.0 10.129.30.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.100.0/255.255.252.0/0/0) remote ident (addr/mask/prot/port): (10.129.30.0/255.255.255.0/0/0) current_peer: Jefferson_City #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 789, #pkts decrypt: 789, #pkts verify: 789 Crypto map tag: rackmap, seq num: 201, local addr: 184.106.120.244 access-list 201 extended permit ip 192.168.100.0 255.255.252.0 10.129.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.100.0/255.255.252.0/0/0) remote ident (addr/mask/prot/port): (10.129.10.0/255.255.255.0/0/0) current_peer: Jefferson_City #pkts encaps: 112, #pkts encrypt: 112, #pkts digest: 112 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 Usually this indicates that the encryption domains on both sides of the VPN are not matched up exactly. If possible, please send us the encryption domains and nat-exemptions you currently have configured on the other side of the tunnel. What concerns me is, if I am reading this correctly, traffic from 10.129.10.0/24 is not being encrypted and 10.129.10.40 is my end of the tunnel. 10.129.30.0/24 lies behind the the 10.129.10.40 server. Is it possible for me to check if traffic being sent over the IPSec tunnel is being encrypted? I am sorry if this is an extremely easy question, but I am really new to IPSec. Thank you to everyone for their help. Jay