[ previous ] [ next ] [ threads ]
 
 From:  "Josh McAllister" <josh at bluehornet dot com>
 To:  "Chris Nottingham" <chris at thewebgeek dot com>, "Elijah Savage" <esavage at digitalrage dot org>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0 to cisco point to point ipsec
 Date:  Tue, 8 Mar 2005 09:02:39 -0800
I hate asking these "obvious" questions... depending on your answer, one
of us will probably feel a bit silly. 

Are you sure your IOS release supports 3des? AFAIK it's only in the last
couple years that Cisco stopped charging a premium for 3des.

Josh McAllister


> -----Original Message-----
> From: Chris Nottingham [mailto:chris at thewebgeek dot com]
> Sent: Tuesday, March 08, 2005 5:49 AM
> To: Elijah Savage; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec
> 
> Works great with single DES/MD5, but 3DES/MD5 will not complete phase
2.
> 
> ________________________________
> 
> From: Elijah Savage [mailto:esavage at digitalrage dot org]
> Sent: Mon 3/7/2005 6:51 PM
> To: Chris Nottingham; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec
> 
> Let me know if you got it working.
> 
> -----Original Message-----
> From: Chris Nottingham
> Sent: Sunday, March 06, 2005 6:46 PM
> To: Elijah Savage; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec
> 
> Elijah,
> 
> Thank you for the config.  I have just a couple questions to clarify
the
> whole config. I would set my m0n0 for 3DES/MD5 for phase 1 with
> pre-shared secret, and phase 2 would be ESP with 3DES/MD5?  What would
I
> use for the DH group for phase 1 with this config?
> 
> Thanks,
> Chris
> 
>
------------------------------------------------------------------------
> ----
> 
> This will get you started. He will need to put in the appropriate
> access-list 120 to send across the tunnel if he is a cisco guy he will
> understand this.
> 
> crypto isakmp policy 11
>  encr 3des
>  hash md5
>  authentication pre-share
> crypto isakmp key XXX address X.X.X.X no-xauth
> 
> 
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> 
> crypto map clientmap 1 ipsec-isakmp
>  set peer X.X.X.X
>  set transform-set myset
>  match address 120
> 
> Int s0/0
> crypto map clientmap
> 
> 
> 
>