Date: Fri, 26 Aug 2011 13:40:37 -0500 From: jhall@socket.net To: mike@sentex.net Cc: freebsd-questions@freebsd.org Subject: Re: Re: Racoon to Cisco ASA 5505 Message-ID: <20110826184037.973F11065673@hub.freebsd.org> References: <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net> <20110825155205.A0D131065670@hub.freebsd.org> <4E5696D0.3000205@sentex.net> <201108261742.p7QHgS2H095637@smtp1.sentex.ca> <4E57E2B1.9000508@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
---------------------------------------------------- > IP-IP interface ? (GIF). If you are using that, then you will need very > different policies on both sides. You should mention these little > "details" when posting your configs. Can you please post your FULL > configuration / topology. Otherwise, its kind of impossible to know what > the issue might be > > ---Mike Connecting 10.129.0.0/16 to 192.168.100.0/22. Their router is 192.168.100.1, and my BSD box is 10.129.10.40. GIF is configured as follows. gif21: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 1.1.1.1 --> 184.106.120.244 inet 10.129.10.40 --> 192.168.100.1 netmask 0xff000000 options=1<ACCEPT_REV_ETHIP_VER> racoon.conf remote 184.106.120.244 { exchange_mode main,base,aggressive; # exchange_mode main,passive; doi ipsec_doi; situation identity_only; mode_cfg on; my_identifier address 65.117.48.155; # certificate_type x509 "my.cert.pem" "my.key.pem"; # nonce_size 16; # initial_contact on; lifetime time 86400 secs; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 1.1.1.1/32 any address 184.106.120.244 any { pfs_group 2; encryption_algorithm 3des; lifetime time 28800 secs; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } setkey - only one site is shown since others are simply a copy of this one. spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/use; spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/use; spdadd 184.106.120.244/32 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/use; spdadd 10.129.30.0/24 184.106.120.244/32 any -P out ipsec esp/tunnel/184.106.120.244-1.1.1.1/use; route table - only the routes to the remote network are listed. 192.168.100.0/22 192.168.100.1 UGS 0 131 gif21 192.168.100.1 link#19 UH 0 185 gif21 Packet forwarding is enabled. # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 Firewall rules pass in quick all pass out quick all What else is needed? Thanks for all your help. Jay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110826184037.973F11065673>