[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC problem conntecting to Cisco
 Date:  Wed, 01 Jun 2005 01:48:20 +0200
David

I dont see in your mail the access-list 101 but you have to ensure it is in the format:
	access-list 101 permit ip local-net rev-mask remote-net rev-mask

I see that your timers does not match:
- IOS defaults to 3600s for phase-1 and 28800 for phase-2
- Your m0n0wall is set to 86400s / 86400s
I don't remember the maximum for IOS but this could be the problem.

Another problem could be the fact that m0n0wall is set for agressive-mode (I'm not sure but I guess
IOS defaults to main-mode).


If you have access to the Cisco device you can use following commands to troubleshoot:
- show crypto isakmp sa
  View all current IKE security associations (SAs) at a peer.
- show crypto ipsec sa
  Shows the settings used by current [IPSec] security associations.
- show crypto engine connections active
  Shows current connections and information regarding encrypted and decrypted packets.

You can also debug but be aware if you are connected via a slow link:
- debug crypto isakmp
  Displays errors during Phase 1.
- debug crypto ipsec
  Displays errors during Phase 2.
- debug crypto engine
  Displays information from the crypto engine.

And with following commands you can clear the tunnel:
- clear crypto isakmp
  Clears the Phase 1 security associations.
- clear crypto sa
  Clears the Phase 2 security associations.


Hope this helps


	best regards

------------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP

Ackersteinstrasse 203
CH-8049 Zurich
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
					William Jennings Bryan



David Kitchens wrote:
> I have been ripping my hair out for over a week now and have an upset client
> over this problem. The client recently changed ISP's and I suggested a
> m0n0wall during this change. They previously had two Cisco 1711's in place
> with a VPN connecting the MI and IL offices. I took the Cisco out of the MI
> office and I had no problems getting M0n0 to work with their new connection.
> Its a static IP as is the IL office. I have reconfigured the IL Cisco to use
> the following settings for the VPN,
>  
> crypto isakmp policy 10
>  encr 3des
>  hash md5
>  authentication pre-share
> crypto isakmp key ***** address 69.129.x.98 no-xauth
> !
> !
> crypto ipsec transform-set to_IL esp-3des esp-md5-hmac
> !
> crypto map myvpn local-address FastEthernet0
> crypto map myvpn 10 ipsec-isakmp
>  set peer 69.129.x.98
>  set transform-set to_IL
>  match address 101
>  
> My m0n0wall settings are:
>  
> Interface  WAN 
> Local subnet Type: LAN subnet 
>  
> Remote subnet  192.168.1.0/24
> Remote gateway  209.83.x.85
> Description  IL VPN
>  
> Phase 1 proposal (Authentication) 
> Negotiation mode  aggressive 
> My identifier  My IP address
> Encryption algorithm  3DES
> Hash algorithm  MD5 
> DH key group  2
> Lifetime  86400 seconds 
> Pre-Shared Key  ***** 
>  
> Phase 2 proposal (SA/Key Exchange) 
> Protocol  ESP
> Hash algorithms  MD5 
> PFS key group  off 
> Lifetime  86400 seconds
>  
> No matter what I do, the tunnel is never established, there is no indication
> that it even tries to establish itself. The logs in m0n0 show recoon
> restarting when I apply any changes but after pinging either side, which
> should get the tunnel started, there is no entry in m0n0 that even shows an
> attempt. I have rebuilt the tunnel from scratch several times. I have made a
> sucessful VPN to my home m0n0wall and it shows all appropriate logs when
> establishing that one but not the one to the Cisco!  I am not Cisco fluent
> to get log entries on it but "sh crypto session" tells me the tunnel is
> DOWN. Chris Buechler has tried to help but he says all the settings are
> correct and should be working so I throw this back to the list in hope
> someone else may have a clue before my client shoots me??? HELP???
>  
> Dave
>