Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 26 Aug 2011 13:40:37 -0500
From:      jhall@socket.net
To:        mike@sentex.net
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Re: Racoon to Cisco ASA 5505 
Message-ID:  <20110826184037.973F11065673@hub.freebsd.org>
References:  <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net> <20110825155205.A0D131065670@hub.freebsd.org> <4E5696D0.3000205@sentex.net> <201108261742.p7QHgS2H095637@smtp1.sentex.ca> <4E57E2B1.9000508@sentex.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

----------------------------------------------------
> IP-IP interface ? (GIF). If you are using that, then you will need very
> different policies on both sides.  You should mention these little
> "details" when posting your configs.  Can you please post your FULL
> configuration / topology. Otherwise, its kind of impossible to know what
> the issue might be
> 
> 	---Mike

Connecting 10.129.0.0/16 to 192.168.100.0/22.  Their router is 
192.168.100.1, and my BSD box is 10.129.10.40. 

GIF is configured as follows.

gif21: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet 1.1.1.1 --> 184.106.120.244
	inet 10.129.10.40 --> 192.168.100.1 netmask 0xff000000 
	options=1<ACCEPT_REV_ETHIP_VER>

racoon.conf

remote 184.106.120.244
{
        exchange_mode main,base,aggressive;
#       exchange_mode main,passive;
        doi ipsec_doi;
        situation identity_only;
        mode_cfg on;
        my_identifier address 65.117.48.155;
#       certificate_type x509 "my.cert.pem" "my.key.pem";

#       nonce_size 16;
#       initial_contact on;
        lifetime time 86400 secs;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 1.1.1.1/32 any address 184.106.120.244 any
{
        pfs_group 2;
        encryption_algorithm 3des;
        lifetime time 28800 secs;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

setkey - only one site is shown since others are simply a copy of this 
one. 

spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec 
esp/tunnel/1.1.1.1-184.106.120.244/use; 
spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec 
esp/tunnel/184.106.120.244-1.1.1.1/use; 
spdadd 184.106.120.244/32 10.129.30.0/24 any -P in ipsec 
esp/tunnel/184.106.120.244-1.1.1.1/use; 
spdadd 10.129.30.0/24 184.106.120.244/32 any -P out ipsec 
esp/tunnel/184.106.120.244-1.1.1.1/use; 

route table - only the routes to the remote network are listed.
192.168.100.0/22   192.168.100.1      UGS         0      131  gif21
192.168.100.1      link#19            UH          0      185  gif21

Packet forwarding is enabled.
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

Firewall rules
pass in quick all
pass out quick all

What else is needed?

Thanks for all your help.



Jay





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20110826184037.973F11065673>