Re: Racoon to Cisco ASA 5505

On 8/26/2011 5:09 PM, jhall@xxxxxxxxxx wrote:
Yes, post that to the list.


I am not sure if this is the entire configuration or not, but this is what
they have posted.


crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map rackmap 201 match address 201
crypto map rackmap 201 set peer Jefferson_City
crypto map rackmap 201 set transform-set ESP-3DES-SHA
crypto map rackmap interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

access-list 201 line 1 extended permit ip 192.168.100.0 255.255.252.0
10.129.10.0 255.255.255.0
access-list 201 line 2 extended permit ip 192.168.100.0 255.255.252.0
10.129.20.0 255.255.255.0
access-list 201 line 3 extended permit ip 192.168.100.0 255.255.252.0
10.129.30.0 255.255.255.0
access-list 201 line 4 extended permit ip 192.168.100.0 255.255.252.0
10.129.50.0 255.255.255.0
access-list 201 line 5 extended permit ip 192.168.100.0 255.255.252.0
10.129.60.0 255.255.255.0
access-list 201 line 6 extended permit ip 192.168.100.0 255.255.252.0
10.129.70.0 255.255.255.0
access-list 201 line 7 extended permit ip 192.168.100.0 255.255.252.0
10.129.80.0 255.255.255.0


Get rid of the gif interface as its not needed and make sure you match their policy's. And of course 1.1.1.1 is your actual public IP.


setkey -F
setkey -FP
setkey -f /etc/ipsec.conf

where ipsec.conf has the info below

spdadd 10.129.10.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.10.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.20.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.20.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.40.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.40.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;
spdadd 10.129.50.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique;
spdadd 192.168.100.0/22 10.129.50.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique;


again, startup racoon with -d
start tcpdumping the outside interface with the flags -s0 -vvv host 184.106.120.244

From inside your network,
go to a machine that has an IP within the private range. e.g. 10.129.10.1 and ping the other side

ping -S 10.129.10.1 192.160.100.1

---Mike




--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@xxxxxxxxxx
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"