From owner-freebsd-questions@FreeBSD.ORG Sat Aug 27 01:38:06 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32A93106566B for ; Sat, 27 Aug 2011 01:38:06 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id E548C8FC12 for ; Sat, 27 Aug 2011 01:38:05 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p7R1c3ZG051417; Fri, 26 Aug 2011 21:38:03 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E584A74.70608@sentex.net> Date: Fri, 26 Aug 2011 21:37:56 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: jhall@socket.net References: <20110823232242.B78A5106566B@hub.freebsd.org> <4E545899.6090800@sentex.net> <20110825155205.A0D131065670@hub.freebsd.org> <4E5696D0.3000205@sentex.net> <201108261742.p7QHgS2H095637@smtp1.sentex.ca> <4E57E2B1.9000508@sentex.net> <201108261840.p7QIebBP015777@smtp2.sentex.ca> <4E57EBED.7070900@sentex.net> <201108262052.p7QKqoTE002569@smtp2.sentex.ca> <4E5809A3.6020306@sentex.net> <201108262109.p7QL9dvU009914@smtp2.sentex.ca> In-Reply-To: <201108262109.p7QL9dvU009914@smtp2.sentex.ca> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: freebsd-questions@freebsd.org Subject: Re: Racoon to Cisco ASA 5505 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2011 01:38:06 -0000 On 8/26/2011 5:09 PM, jhall@socket.net wrote: >> Yes, post that to the list. >> > > I am not sure if this is the entire configuration or not, but this is what > they have posted. > > > crypto ipsec security-association lifetime seconds 28800 > crypto ipsec security-association lifetime kilobytes 4608000 > > crypto map rackmap 201 match address 201 > crypto map rackmap 201 set peer Jefferson_City > crypto map rackmap 201 set transform-set ESP-3DES-SHA > crypto map rackmap interface outside > > crypto isakmp identity address > crypto isakmp enable outside > crypto isakmp policy 10 > authentication pre-share > encryption 3des > hash sha > group 2 > lifetime 86400 > > access-list 201 line 1 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.10.0 255.255.255.0 > access-list 201 line 2 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.20.0 255.255.255.0 > access-list 201 line 3 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.30.0 255.255.255.0 > access-list 201 line 4 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.50.0 255.255.255.0 > access-list 201 line 5 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.60.0 255.255.255.0 > access-list 201 line 6 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.70.0 255.255.255.0 > access-list 201 line 7 extended permit ip 192.168.100.0 255.255.252.0 > 10.129.80.0 255.255.255.0 Get rid of the gif interface as its not needed and make sure you match their policy's. And of course 1.1.1.1 is your actual public IP. setkey -F setkey -FP setkey -f /etc/ipsec.conf where ipsec.conf has the info below spdadd 10.129.10.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; spdadd 192.168.100.0/22 10.129.10.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; spdadd 10.129.20.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; spdadd 192.168.100.0/22 10.129.20.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; spdadd 10.129.40.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; spdadd 192.168.100.0/22 10.129.40.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; spdadd 10.129.50.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; spdadd 192.168.100.0/22 10.129.50.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; again, startup racoon with -d start tcpdumping the outside interface with the flags -s0 -vvv host 184.106.120.244 >From inside your network, go to a machine that has an IP within the private range. e.g. 10.129.10.1 and ping the other side ping -S 10.129.10.1 192.160.100.1 ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/