David
I dont see in your mail the access-list 101 but you have to ensure it is in the format:
access-list 101 permit ip local-net rev-mask remote-net rev-mask
I see that your timers does not match:
- IOS defaults to 3600s for phase-1 and 28800 for phase-2
- Your m0n0wall is set to 86400s / 86400s
I don't remember the maximum for IOS but this could be the problem.
Another problem could be the fact that m0n0wall is set for agressive-mode (I'm not sure but I guess
IOS defaults to main-mode).
If you have access to the Cisco device you can use following commands to troubleshoot:
- show crypto isakmp sa
View all current IKE security associations (SAs) at a peer.
- show crypto ipsec sa
Shows the settings used by current [IPSec] security associations.
- show crypto engine connections active
Shows current connections and information regarding encrypted and decrypted packets.
You can also debug but be aware if you are connected via a slow link:
- debug crypto isakmp
Displays errors during Phase 1.
- debug crypto ipsec
Displays errors during Phase 2.
- debug crypto engine
Displays information from the crypto engine.
And with following commands you can clear the tunnel:
- clear crypto isakmp
Clears the Phase 1 security associations.
- clear crypto sa
Clears the Phase 2 security associations.
Hope this helps
best regards
------------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP
Ackersteinstrasse 203
CH-8049 Zurich
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
William Jennings Bryan
David Kitchens wrote:
> I have been ripping my hair out for over a week now and have an upset client
> over this problem. The client recently changed ISP's and I suggested a
> m0n0wall during this change. They previously had two Cisco 1711's in place
> with a VPN connecting the MI and IL offices. I took the Cisco out of the MI
> office and I had no problems getting M0n0 to work with their new connection.
> Its a static IP as is the IL office. I have reconfigured the IL Cisco to use
> the following settings for the VPN,
>
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> crypto isakmp key ***** address 69.129.x.98 no-xauth
> !
> !
> crypto ipsec transform-set to_IL esp-3des esp-md5-hmac
> !
> crypto map myvpn local-address FastEthernet0
> crypto map myvpn 10 ipsec-isakmp
> set peer 69.129.x.98
> set transform-set to_IL
> match address 101
>
> My m0n0wall settings are:
>
> Interface WAN
> Local subnet Type: LAN subnet
>
> Remote subnet 192.168.1.0/24
> Remote gateway 209.83.x.85
> Description IL VPN
>
> Phase 1 proposal (Authentication)
> Negotiation mode aggressive
> My identifier My IP address
> Encryption algorithm 3DES
> Hash algorithm MD5
> DH key group 2
> Lifetime 86400 seconds
> Pre-Shared Key *****
>
> Phase 2 proposal (SA/Key Exchange)
> Protocol ESP
> Hash algorithms MD5
> PFS key group off
> Lifetime 86400 seconds
>
> No matter what I do, the tunnel is never established, there is no indication
> that it even tries to establish itself. The logs in m0n0 show recoon
> restarting when I apply any changes but after pinging either side, which
> should get the tunnel started, there is no entry in m0n0 that even shows an
> attempt. I have rebuilt the tunnel from scratch several times. I have made a
> sucessful VPN to my home m0n0wall and it shows all appropriate logs when
> establishing that one but not the one to the Cisco! I am not Cisco fluent
> to get log entries on it but "sh crypto session" tells me the tunnel is
> DOWN. Chris Buechler has tried to help but he says all the settings are
> correct and should be working so I throw this back to the list in hope
> someone else may have a clue before my client shoots me??? HELP???
>
> Dave
>
| 