From owner-freebsd-questions@FreeBSD.ORG Fri Aug 26 18:40:37 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 973F11065673 for ; Fri, 26 Aug 2011 18:40:37 +0000 (UTC) (envelope-from jhall@socket.net) Received: from mf1.socket.net (mf1g.socket.net [216.106.88.71]) by mx1.freebsd.org (Postfix) with ESMTP id 768648FC19 for ; Fri, 26 Aug 2011 18:40:37 +0000 (UTC) Received: from localhost (unknown [216.106.88.17]) by mf1.socket.net (Postfix) with SMTP id 11D064594C; Fri, 26 Aug 2011 13:40:37 -0500 (CDT) To: mike@sentex.net From: jhall@socket.net X-Apparently-from: jhall@mail.socket.net X-Remote-Host: 174.34.27.163 User-Agent: Socket WebMail References: <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net> <20110825155205.A0D131065670@hub.freebsd.org> <4E5696D0.3000205@sentex.net> <201108261742.p7QHgS2H095637@smtp1.sentex.ca> <4E57E2B1.9000508@sentex.net> Date: Fri, 26 Aug 2011 13:40:37 -0500 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Message-Id: <20110826184037.973F11065673@hub.freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: Re: Racoon to Cisco ASA 5505 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jhall@socket.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2011 18:40:37 -0000 ---------------------------------------------------- > IP-IP interface ? (GIF). If you are using that, then you will need very > different policies on both sides. You should mention these little > "details" when posting your configs. Can you please post your FULL > configuration / topology. Otherwise, its kind of impossible to know what > the issue might be > > ---Mike Connecting 10.129.0.0/16 to 192.168.100.0/22. Their router is 192.168.100.1, and my BSD box is 10.129.10.40. GIF is configured as follows. gif21: flags=8051 metric 0 mtu 1280 tunnel inet 1.1.1.1 --> 184.106.120.244 inet 10.129.10.40 --> 192.168.100.1 netmask 0xff000000 options=1 racoon.conf remote 184.106.120.244 { exchange_mode main,base,aggressive; # exchange_mode main,passive; doi ipsec_doi; situation identity_only; mode_cfg on; my_identifier address 65.117.48.155; # certificate_type x509 "my.cert.pem" "my.key.pem"; # nonce_size 16; # initial_contact on; lifetime time 86400 secs; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 1.1.1.1/32 any address 184.106.120.244 any { pfs_group 2; encryption_algorithm 3des; lifetime time 28800 secs; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } setkey - only one site is shown since others are simply a copy of this one. spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/use; spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/use; spdadd 184.106.120.244/32 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/use; spdadd 10.129.30.0/24 184.106.120.244/32 any -P out ipsec esp/tunnel/184.106.120.244-1.1.1.1/use; route table - only the routes to the remote network are listed. 192.168.100.0/22 192.168.100.1 UGS 0 131 gif21 192.168.100.1 link#19 UH 0 185 gif21 Packet forwarding is enabled. # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 Firewall rules pass in quick all pass out quick all What else is needed? Thanks for all your help. Jay