[ previous ] [ next ] [ threads ]
 
 From:  "Chris Nottingham" <chris at thewebgeek dot com>
 To:  "Josh McAllister" <josh at bluehornet dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0 to cisco point to point ipsec
 Date:  Fri, 4 Mar 2005 21:38:42 -0500 
I don't have access to the cisco config unfortunately, but my m0n0
config is using 3DES/MD5 DF Group 2 for phase 1 (which seems to be
working) and ESP with 3DES/MD5 checked and PFS group off.  What I am
trying to find is a cisco config that I can hand off to my network guy
to put in his config that is a known good for a m0n0wall.

Thanks again,
Chris

-----Original Message-----

It looks like the endpoints can't agree on Phase 2 parameters. If you
send your cisco config section and feature set, and appropriate m0n0
config section it would be much easier to assist.

Without that, I would *guess* you probably want the following phase2
settings on the m0n0:
Protocol: ESP
Enc. Algoithms: *only* 3DES
Hash: MD5
PFS key group: off

If that gives you no joy, provide more details.

Josh McAllister

> -----Original Message-----
> From: Chris Nottingham [mailto:chris at thewebgeek dot com]
> Sent: Friday, March 04, 2005 2:43 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] m0n0 to cisco point to point ipsec
> 
> I searched through the archive the best I could before posting, but am
> still stuck.  I am trying to get my m0n0wall (1.1 generic pc) to talk
to
> a cisco ipsec vpn at work.  I got the settings from my friendly
network
> administrator, and we have tried a few changes both on the m0n0 and
> cisco end to no avail.  The log on my end always looks like pasted
> below.  Does anyone have a working m0n0 to cisco setup and are willing
> to share the configuration from both ends?
> 
> Thanks in advance,
> Chris
> 
> racoon: ERROR: pfkey.c:804:pfkey_timeover(): xxx.xxx.xxx.xxx give up
to
> get IPsec-SA due to time up to wait.
> racoon: ERROR: isakmp_inf.c:840:isakmp_info_recv_n(): unknown notify
> message, no phase2 handle found.
> racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
> negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
> racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA
established
> xxx.xxx.xxx.xxx[500]-xxx.xxx.xxx.xxx[500] spi:blahblahblah
> racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity
> Protection mode.
> racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1
> negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch