Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 26 Aug 2011 13:40:37 -0500
Subject:   Re: Re: Racoon to Cisco ASA 5505 
Message-ID:  <>
References:  <> <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

> IP-IP interface ? (GIF). If you are using that, then you will need very
> different policies on both sides.  You should mention these little
> "details" when posting your configs.  Can you please post your FULL
> configuration / topology. Otherwise, its kind of impossible to know what
> the issue might be
> 	---Mike

Connecting to  Their router is, and my BSD box is 

GIF is configured as follows.

gif21: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet -->
	inet --> netmask 0xff000000 


        exchange_mode main,base,aggressive;
#       exchange_mode main,passive;
        doi ipsec_doi;
        situation identity_only;
        mode_cfg on;
        my_identifier address;
#       certificate_type x509 "my.cert.pem" "my.key.pem";

#       nonce_size 16;
#       initial_contact on;
        lifetime time 86400 secs;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;

sainfo address any address any
        pfs_group 2;
        encryption_algorithm 3des;
        lifetime time 28800 secs;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;

setkey - only one site is shown since others are simply a copy of this 

spdadd any -P out ipsec 
spdadd any -P in ipsec 
spdadd any -P in ipsec 
spdadd any -P out ipsec 

route table - only the routes to the remote network are listed.      UGS         0      131  gif21      link#19            UH          0      185  gif21

Packet forwarding is enabled.
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

Firewall rules
pass in quick all
pass out quick all

What else is needed?

Thanks for all your help.


Want to link to this message? Use this URL: <>