[ previous ] [ next ] [ threads ]
 
 From:  "David Kitchens" <spider at webweaver dot com>
 To:  "'Richard Green'" <richardgreen1965 at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC tunnel to Cisco PIX
 Date:  Thu, 7 Jul 2005 21:28:02 -0400
I tried a very similar setup a month or so back. The fix was to buy another
Soekris and ship it to the remote location using monowall! One of two Cisco
routers had died and I replaced it with a Soekris. I had a few guys look at
my config which is very simular to yours and nobody could get them to talk.
Chris has a nice writeup in the DocBook about it but it didn't work in my
situation. I spent way too many hours trying to make it work and in 5 min I
had the shipped M0n0wall with vpn running by walking a guy on the phone thru
what wire to pull out of the cisco and put into the Soekris box. Shame to
throw out that expensive Cisco! Cheers to M0n0wall for being so much easier
and friendly to use! Not a bit of VPN drop since it was installed! :)

Dave

> -----Original Message-----
> From: Richard Green [mailto:richardgreen1965 at gmail dot com] 
> Sent: Thursday, July 07, 2005 9:15 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPSEC tunnel to Cisco PIX
> 
> 
> I am attempting to set up an IPSEC tunnel to a Cisco Pix box, 
> so far no success.
> 
> Upon a m0n0wall reboot, there are no error messages reported, 
> but the SA is not set up.
> 
> When I subsequently edit (or pretend to edit), then apply the 
> changes, I see this message.
> 
> racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy 
> already exists. 
> anyway replace it: 192.168.157.0/24[0] xxx.xxx.xxx.xxx[0] 
> proto=any dir=out
> 
> So I guess something happens in attempting at least Phase 1, 
> and maybe Phase 2, but it's not successful, and there seems 
> to be no way to see more detailed logging to guide me here.
> 
> How can I see in more detail what is happening from 
> m0n0wall's perspective? Or does anyone see any problems with 
> my configurations below?
> 
> Cheers, Richard
> 
> ---------
> 
> Below is my m0n0wall and pix config. 
> 
> xxx.xxx.xxx.xxx is the network number behind the PIX device 
> yyy.yyy.yyy.yyy is the external IP address of the PIX device 
> zzz.zzz.zzz.zzz is the WAN address of my m0n0wall device
> 
> M0N0WALL (1.11)
> 
> Phase 1 proposal (Authentication)
> VPN: IPsec: Edit tunnel
> Mode  Tunnel
> Interface: WAN
> Local subnet: LAN Subnet
> Remote subnet: xxx.xxx.xxx.xxx/29
> Remote gateway: yyy.yyy.yyy.yyy
> Negotiation mode: Aggressive (have tried both 'Main mode' and 
> 'Aggressive mode'
> Encryption algorithm: 3DES
> Hash algorithm: MD5
> DH Group: 2
> Lifetime: 86400
> Pre-Shared Key: my-secret
> 
> Phase 2 proposal (SA/Key Exchange)
> Protocol: ESP
> Encryption algorithms: All checked (including 3DES) Hash 
> algorithms: All checked (including MD5) PFS key group: Off 
> (have tried 1,2,3)
> Lifetime: 86400
> 
> CISCO PIX CONFIGURATION (OS version: Cisco PIX Firewall 
> Version 6.3(4)120 PIX model: Hardware: PIX-515E)
> 
> access-list cryptomap_20 permit ip xxx.xxx.xxx.xxx 
> 255.255.255.248 192.168.157.0 255.255.255.0 
> 
> sysopt connection permit-ipsec
> 
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
> 
> crypto map some_map 20 ipsec-isakmp
> crypto map some_map 20 match address cryptomap_20 crypto map 
> some_map 20 set peer zzz.zzz.zzz.zzz crypto map some_map 20 
> set transform-set ESP-3DES-MD5 crypto map some_map 20 set 
> security-association lifetime seconds 1800 kilobytes 4608000 
> crypto map some_map interface outside
> 
> isakmp enable outside
> isakmp key my-secret address zzz.zzz.zzz.zzz netmask 
> 255.255.255.255 isakmp identity address
> 
> isakmp policy 20 authentication pre-share isakmp policy 20 
> encryption 3des isakmp policy 20 hash md5 isakmp policy 20 
> group 2 isakmp policy 20 lifetime 86400
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>