Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Aug 2011 14:39:12 -0400
From:      Mike Tancsa <>
Subject:   Re: Racoon to Cisco ASA 5505
Message-ID:  <>
In-Reply-To: <>
References:  <>	<> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 8/25/2011 11:52 AM, wrote:
>> I find wireshark helpful in these cases as it nicely decodes what
>> options are being set.  Your racoon conf is set to obey. Its possible
>> they are proposing something different to you that you accept, where as
>> what you are proposing might not be acceptable
> My vendor came back to me today and stated they found a configuration 
> error on their end.  Their most recent message states the traffic I am 
> sending to them through the IPSec tunnel is not encrypted. 

What does your actual policy look like ? Is this the only ipsec config
on your box ? If so, lets say your public IP is and their ip is

try adding this to /etc/ipsec.conf

spdadd any -P out ipsec
spdadd any -P in  ipsec

do a
setkey -F
setkey -FP
setkey -f /etc/ipsec.conf

This is saying that you will create an ipsec policy between 2 networks.
Your side behind and their side behind
The policy states that packets with a source address of
destined to will be encapsulated in an ipsec tunnel.
Similarly, everything going the other direction - going
to And *only* those packets.  If you have a packet
with a source address of destined to, it will
not be passed through the tunnel.

> Following is what they sent me from the ASA.
>  Crypto map tag: rackmap, seq num: 201, local addr:
>       access-list 201 extended permit ip 
>       local ident (addr/mask/prot/port): (
>       remote ident (addr/mask/prot/port): (
>       current_peer: Jefferson_City

You then need to make sure your key exchange settings agree. Ask them
for that portion of the ASA's config.

You are proposing
exchange_mode main,base,aggressive;
You are known to them by IP (my_identifier address)
You should probably add
peers_identifier address;
and then make sure in your psk.txt file you have something like the-secret-psk-you-agreed-on

Also, make sure their side is expecting 3des and hmac is sha1 or md5 as
you posted in your original config.

On your public wan interface, do a tcpdump of the remote IP. e.g. if its
em0, do

tcpdump -ni em0 -s0 -w /tmp/186.pcap host

startup racoon with the debug flag
and from your network, try and ping an IP in their private network from
your private network

ping -S

When testing ipsec, get in the habbit of ALWAYS specifying the source IP
so that you know the packet you are generating falls within the policy
you have specified.

If things dont work, look at the racoon logs for clues as well as look
at the pcap afterwards with -vvvv
tcpdump -vvvv -nr /tmp/186.pcap port 500

if it worked and you get a ping response, look at the full traffic to
make sure its ESP and that the contents are indeed encrypted.

Mike Tancsa, tel +1 519 651 3400
Sentex Communications,
Providing Internet services since 1994
Cambridge, Ontario Canada

Want to link to this message? Use this URL: <>