Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Aug 2011 10:52:04 -0500
From:      jhall@socket.net
To:        mike@sentex.net
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Re: Racoon to Cisco ASA 5505 
Message-ID:  <20110825155205.A0D131065670@hub.freebsd.org>
References:  <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> I find wireshark helpful in these cases as it nicely decodes what
> options are being set.  Your racoon conf is set to obey. Its possible
> they are proposing something different to you that you accept, where as
> what you are proposing might not be acceptable
> 
> 	---Mike

My vendor came back to me today and stated they found a configuration 
error on their end.  Their most recent message states the traffic I am 
sending to them through the IPSec tunnel is not encrypted. 

Following is what they sent me from the ASA.

 Crypto map tag: rackmap, seq num: 201, local addr: 184.106.120.244

      access-list 201 extended permit ip 192.168.100.0 255.255.252.0 
10.129.30.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (10.129.30.0/255.255.255.0/0/0)
      current_peer: Jefferson_City

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 789, #pkts decrypt: 789, #pkts verify: 789

    Crypto map tag: rackmap, seq num: 201, local addr: 184.106.120.244

      access-list 201 extended permit ip 192.168.100.0 255.255.252.0 
10.129.10.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (10.129.10.0/255.255.255.0/0/0)
      current_peer: Jefferson_City

      #pkts encaps: 112, #pkts encrypt: 112, #pkts digest: 112
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Usually this indicates that the encryption domains on both sides of the 
VPN are not matched up exactly. If possible, please send us the encryption 
domains and nat-exemptions you currently have configured on the other side 
of the tunnel. 

What concerns me is, if I am reading this correctly, traffic from 
10.129.10.0/24 is not being encrypted and 10.129.10.40 is my end of the 
tunnel.  10.129.30.0/24 lies behind the the 10.129.10.40 server. 

Is it possible for me to check if traffic being sent over the IPSec tunnel 
is being encrypted? 

I am sorry if this is an extremely easy question, but I am really new to 
IPSec. 

Thank you to everyone for their help.


Jay




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20110825155205.A0D131065670>