Thank you for all your help!! IT WORKS!!!!!!! One final question. If I want to clean up my racoon configuration file, instead of using sainfo anonymous can the following be used instead?
sainfo address 10.129.0.0/16 any address 192.168.100.0/22 any Thank you again for all your help! Jay ---------------------------------------------------- >From : Mike Tancsa <m...@sentex.net> To : jh...@socket.net Subject : Re: Racoon to Cisco ASA 5505 Date : Fri, 26 Aug 2011 21:37:56 -0400 > On 8/26/2011 5:09 PM, jh...@socket.net wrote: > >> Yes, post that to the list. > >> > > > > I am not sure if this is the entire configuration or not, but this is what > > they have posted. > > > > > > crypto ipsec security-association lifetime seconds 28800 > > crypto ipsec security-association lifetime kilobytes 4608000 > > > > crypto map rackmap 201 match address 201 > > crypto map rackmap 201 set peer Jefferson_City > > crypto map rackmap 201 set transform-set ESP-3DES-SHA > > crypto map rackmap interface outside > > > > crypto isakmp identity address > > crypto isakmp enable outside > > crypto isakmp policy 10 > > authentication pre-share > > encryption 3des > > hash sha > > group 2 > > lifetime 86400 > > > > access-list 201 line 1 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.10.0 255.255.255.0 > > access-list 201 line 2 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.20.0 255.255.255.0 > > access-list 201 line 3 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.30.0 255.255.255.0 > > access-list 201 line 4 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.50.0 255.255.255.0 > > access-list 201 line 5 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.60.0 255.255.255.0 > > access-list 201 line 6 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.70.0 255.255.255.0 > > access-list 201 line 7 extended permit ip 192.168.100.0 255.255.252.0 > > 10.129.80.0 255.255.255.0 > > > Get rid of the gif interface as its not needed and make sure you match their policy's. And of course 1.1.1.1 is your actual public IP. > > > setkey -F > setkey -FP > setkey -f /etc/ipsec.conf > > where ipsec.conf has the info below > > spdadd 10.129.10.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.10.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.20.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.20.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.30.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.30.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.40.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.40.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > spdadd 10.129.50.0/24 192.168.100.0/22 any -P out ipsec esp/tunnel/1.1.1.1-184.106.120.244/unique; > spdadd 192.168.100.0/22 10.129.50.0/24 any -P in ipsec esp/tunnel/184.106.120.244-1.1.1.1/unique; > > > again, startup racoon with -d > start tcpdumping the outside interface with the flags -s0 -vvv host 184.106.120.244 > > From inside your network, > go to a machine that has an IP within the private range. e.g. 10.129.10.1 and ping the other side > > ping -S 10.129.10.1 192.160.100.1 > > ---Mike > > > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, m...@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
