[ previous ] [ next ] [ threads ]
 From:  Richard Green <richardgreen1965 at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC tunnel to Cisco PIX
 Date:  Fri, 8 Jul 2005 11:14:47 +1000
I am attempting to set up an IPSEC tunnel to a Cisco Pix box, so far no 

Upon a m0n0wall reboot, there are no error messages reported, but the SA is 
not set up.

When I subsequently edit (or pretend to edit), then apply the changes, I see 
this message.

racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy already exists. 
anyway replace it:[0] xxx.xxx.xxx.xxx[0] proto=any dir=out

So I guess something happens in attempting at least Phase 1, and maybe Phase 
2, but it's not successful, and there seems to be no way to see more detailed 
logging to guide me here.

How can I see in more detail what is happening from m0n0wall's perspective? Or 
does anyone see any problems with my configurations below?

Cheers, Richard


Below is my m0n0wall and pix config. 

xxx.xxx.xxx.xxx is the network number behind the PIX device
yyy.yyy.yyy.yyy is the external IP address of the PIX device
zzz.zzz.zzz.zzz is the WAN address of my m0n0wall device

M0N0WALL (1.11)

Phase 1 proposal (Authentication)
VPN: IPsec: Edit tunnel
Mode  Tunnel
Interface: WAN
Local subnet: LAN Subnet
Remote subnet: xxx.xxx.xxx.xxx/29
Remote gateway: yyy.yyy.yyy.yyy
Negotiation mode: Aggressive (have tried both 'Main mode' and 'Aggressive 
Encryption algorithm: 3DES
Hash algorithm: MD5
DH Group: 2
Lifetime: 86400
Pre-Shared Key: my-secret

Phase 2 proposal (SA/Key Exchange)
Protocol: ESP
Encryption algorithms: All checked (including 3DES)
Hash algorithms: All checked (including MD5)
PFS key group: Off (have tried 1,2,3)
Lifetime: 86400

CISCO PIX CONFIGURATION (OS version: Cisco PIX Firewall Version 6.3(4)120
PIX model: Hardware: PIX-515E)

access-list cryptomap_20 permit ip xxx.xxx.xxx.xxx 

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto map some_map 20 ipsec-isakmp
crypto map some_map 20 match address cryptomap_20
crypto map some_map 20 set peer zzz.zzz.zzz.zzz
crypto map some_map 20 set transform-set ESP-3DES-MD5
crypto map some_map 20 set security-association lifetime seconds 1800 
kilobytes 4608000
crypto map some_map interface outside

isakmp enable outside
isakmp key my-secret address zzz.zzz.zzz.zzz netmask 
isakmp identity address

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400