[ previous ] [ next ] [ threads ]
 From:  "David Kitchens" <spider at webweaver dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSEC problem conntecting to Cisco
 Date:  Tue, 31 May 2005 13:30:03 -0400
I have been ripping my hair out for over a week now and have an upset client
over this problem. The client recently changed ISP's and I suggested a
m0n0wall during this change. They previously had two Cisco 1711's in place
with a VPN connecting the MI and IL offices. I took the Cisco out of the MI
office and I had no problems getting M0n0 to work with their new connection.
Its a static IP as is the IL office. I have reconfigured the IL Cisco to use
the following settings for the VPN,
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key ***** address 69.129.x.98 no-xauth
crypto ipsec transform-set to_IL esp-3des esp-md5-hmac
crypto map myvpn local-address FastEthernet0
crypto map myvpn 10 ipsec-isakmp
 set peer 69.129.x.98
 set transform-set to_IL
 match address 101
My m0n0wall settings are:
Interface  WAN 
Local subnet Type: LAN subnet 
Remote subnet
Remote gateway  209.83.x.85
Description  IL VPN
Phase 1 proposal (Authentication) 
Negotiation mode  aggressive 
My identifier  My IP address
Encryption algorithm  3DES
Hash algorithm  MD5 
DH key group  2
Lifetime  86400 seconds 
Pre-Shared Key  ***** 
Phase 2 proposal (SA/Key Exchange) 
Protocol  ESP
Hash algorithms  MD5 
PFS key group  off 
Lifetime  86400 seconds
No matter what I do, the tunnel is never established, there is no indication
that it even tries to establish itself. The logs in m0n0 show recoon
restarting when I apply any changes but after pinging either side, which
should get the tunnel started, there is no entry in m0n0 that even shows an
attempt. I have rebuilt the tunnel from scratch several times. I have made a
sucessful VPN to my home m0n0wall and it shows all appropriate logs when
establishing that one but not the one to the Cisco!  I am not Cisco fluent
to get log entries on it but "sh crypto session" tells me the tunnel is
DOWN. Chris Buechler has tried to help but he says all the settings are
correct and should be working so I throw this back to the list in hope
someone else may have a clue before my client shoots me??? HELP???