[ previous ] [ next ] [ threads ]
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  David Kitchens <spider at webweaver dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC problem conntecting to Cisco
 Date:  Tue, 31 May 2005 18:55:58 -0400
David Kitchens wrote:

>I have been ripping my hair out for over a week now and have an upset client
>over this problem. The client recently changed ISP's and I suggested a
>m0n0wall during this change. They previously had two Cisco 1711's in place
>with a VPN connecting the MI and IL offices. I took the Cisco out of the MI
>office and I had no problems getting M0n0 to work with their new connection.
>Its a static IP as is the IL office. I have reconfigured the IL Cisco to use
>the following settings for the VPN,
>crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
>crypto isakmp key ***** address 69.129.x.98 no-xauth
>crypto ipsec transform-set to_IL esp-3des esp-md5-hmac
>crypto map myvpn local-address FastEthernet0
>crypto map myvpn 10 ipsec-isakmp
> set peer 69.129.x.98
> set transform-set to_IL
> match address 101
>My m0n0wall settings are:
>Interface  WAN 
>Local subnet Type: LAN subnet 
>Remote subnet
>Remote gateway  209.83.x.85
>Description  IL VPN
>Phase 1 proposal (Authentication) 
>Negotiation mode  aggressive 
>My identifier  My IP address
>Encryption algorithm  3DES
>Hash algorithm  MD5 
>DH key group  2
>Lifetime  86400 seconds 
>Pre-Shared Key  ***** 
>Phase 2 proposal (SA/Key Exchange) 
>Protocol  ESP
>Hash algorithms  MD5 
>PFS key group  off 
>Lifetime  86400 seconds
>No matter what I do, the tunnel is never established, there is no indication
>that it even tries to establish itself. The logs in m0n0 show recoon
>restarting when I apply any changes but after pinging either side, which
>should get the tunnel started, there is no entry in m0n0 that even shows an
>attempt. I have rebuilt the tunnel from scratch several times. I have made a
>sucessful VPN to my home m0n0wall and it shows all appropriate logs when
>establishing that one but not the one to the Cisco!  I am not Cisco fluent
>to get log entries on it but "sh crypto session" tells me the tunnel is
>DOWN. Chris Buechler has tried to help but he says all the settings are
>correct and should be working so I throw this back to the list in hope
>someone else may have a clue before my client shoots me??? HELP???

While not fluent in Cisco, I do have a VPN tunnel running from a 
m0n0wall to Cisco 3500.  I can send you an excerpt from the Cisco config 
for your examination if you wish.