From owner-freebsd-questions@FreeBSD.ORG Wed Aug 24 01:49:16 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 810E7106564A for ; Wed, 24 Aug 2011 01:49:16 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 463E08FC12 for ; Wed, 24 Aug 2011 01:49:16 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p7O1nDrp093813; Tue, 23 Aug 2011 21:49:13 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E545899.6090800@sentex.net> Date: Tue, 23 Aug 2011 21:49:13 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: jhall@socket.net References: <20110823232242.B78A5106566B@hub.freebsd.org> In-Reply-To: <20110823232242.B78A5106566B@hub.freebsd.org> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: freebsd-questions@freebsd.org Subject: Re: Racoon to Cisco ASA 5505 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2011 01:49:16 -0000 On 8/23/2011 7:22 PM, jhall@socket.net wrote: > I have run into a weird situation, and I do not know if the problem lies > on my side of the connection or my vendors. > > The tunnel comes up only after the vendor sends traffic to me. My side of > the tunnel shows up and using tcpdump, I see packets flowing out the > correct interface, to the correct IP address, but nothing is returned > until the device(s) behind the vendor's ASA attempt to send traffic to me. > > Attached is the relevant output from setkey -DP > > 10.129.10.0/24[any] 192.168.100.0/22[any] any > out ipsec > esp/tunnel/1.1.1.1-2.2.2.2/use > spid=357 seq=7 pid=12885 > refcnt=1 > 10.129.80.0/24[any] 192.168.100.0/22[any] any > out ipsec > esp/tunnel/1.1.1.1-2.2.2.2/use > spid=359 seq=6 pid=12885 > refcnt=1 > > I am using anonymous because, if I am reading the logs right, that is > being requested. > > I am using a PF firewall with pass in quick and pass out quick rules. > This is just for testing and will be tightened later. > > What additional information is needed? > pfctl -d and then try just to totally rule out pf. Also, which pf its helpful to always log everything, including pass as it helps in to narrow down issues. If its still not working, show the output of the tunnel coming up when the other side initiates the tunnel and then show the tcdump of when you try and initiate it. tcpdump -s0 -vvv -ni port 500 I find wireshark helpful in these cases as it nicely decodes what options are being set. Your racoon conf is set to obey. Its possible they are proposing something different to you that you accept, where as what you are proposing might not be acceptable ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/