[ previous ] [ next ] [ threads ]
 
 From:  "Elijah Savage" <esavage at digitalrage dot org>
 To:  "Chris Nottingham" <chris at thewebgeek dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0 to cisco point to point ipsec
 Date:  Tue, 8 Mar 2005 07:57:41 -0500 
I am not sure what is going on there I would start by debugging ipsec on
the router side. I know it does not help you any but my 3des works
great. When I have more time tonight I will send you exactly what I have
in each line of both configs. I actually wanted to write a how to on it
but recently I ran in to some problems with one site all of a sudden
large data would not go back and forth but ssh and telnet would work. I
have upgraded the IOS on the router side, now I am going to swap the 831
with a 2600 and if that works then I will finish the how to. BUt the
other 4 sites I have work great on 3des.

________________________________

From: Chris Nottingham [mailto:chris at thewebgeek dot com] 
Sent: Tuesday, March 08, 2005 7:49 AM
To: Elijah Savage; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec


Works great with single DES/MD5, but 3DES/MD5 will not complete phase 2.

________________________________

From: Elijah Savage [mailto:esavage at digitalrage dot org]
Sent: Mon 3/7/2005 6:51 PM
To: Chris Nottingham; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec

Let me know if you got it working.

-----Original Message-----
From: Chris Nottingham
Sent: Sunday, March 06, 2005 6:46 PM
To: Elijah Savage; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec

Elijah,

Thank you for the config.  I have just a couple questions to clarify the
whole config. I would set my m0n0 for 3DES/MD5 for phase 1 with
pre-shared secret, and phase 2 would be ESP with 3DES/MD5?  What would I
use for the DH group for phase 1 with this config?

Thanks,
Chris

------------------------------------------------------------------------
----

This will get you started. He will need to put in the appropriate
access-list 120 to send across the tunnel if he is a cisco guy he will
understand this.

crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key XXX address X.X.X.X no-xauth


crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map clientmap 1 ipsec-isakmp
 set peer X.X.X.X
 set transform-set myset
 match address 120

Int s0/0
crypto map clientmap