Date: Tue, 23 Aug 2011 21:49:13 -0400 From: Mike Tancsa <mike@sentex.net> To: jhall@socket.net Cc: freebsd-questions@freebsd.org Subject: Re: Racoon to Cisco ASA 5505 Message-ID: <4E545899.6090800@sentex.net> In-Reply-To: <20110823232242.B78A5106566B@hub.freebsd.org> References: <20110823232242.B78A5106566B@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/23/2011 7:22 PM, jhall@socket.net wrote: > I have run into a weird situation, and I do not know if the problem lies > on my side of the connection or my vendors. > > The tunnel comes up only after the vendor sends traffic to me. My side of > the tunnel shows up and using tcpdump, I see packets flowing out the > correct interface, to the correct IP address, but nothing is returned > until the device(s) behind the vendor's ASA attempt to send traffic to me. > > Attached is the relevant output from setkey -DP > > 10.129.10.0/24[any] 192.168.100.0/22[any] any > out ipsec > esp/tunnel/1.1.1.1-2.2.2.2/use > spid=357 seq=7 pid=12885 > refcnt=1 > 10.129.80.0/24[any] 192.168.100.0/22[any] any > out ipsec > esp/tunnel/1.1.1.1-2.2.2.2/use > spid=359 seq=6 pid=12885 > refcnt=1 > > I am using anonymous because, if I am reading the logs right, that is > being requested. > > I am using a PF firewall with pass in quick and pass out quick rules. > This is just for testing and will be tightened later. > > What additional information is needed? > pfctl -d and then try just to totally rule out pf. Also, which pf its helpful to always log everything, including pass as it helps in to narrow down issues. If its still not working, show the output of the tunnel coming up when the other side initiates the tunnel and then show the tcdump of when you try and initiate it. tcpdump -s0 -vvv -ni <interface> port 500 I find wireshark helpful in these cases as it nicely decodes what options are being set. Your racoon conf is set to obey. Its possible they are proposing something different to you that you accept, where as what you are proposing might not be acceptable ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E545899.6090800>