[ previous ] [ next ] [ threads ]
 
 From:  "henry" <henry at ttcomaha dot com>
 To:  Richard Green <richardgreen1965 at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSEC tunnel to Cisco PIX
 Date:  Thu, 07 Jul 2005 20:32:37 -0500
Have you tried this link.  I followed these directions an dit works fine for me.
http://m0n0.ch/wall/docbook/examplevpn.html#id2600839


On Fri, 8 Jul 2005 11:14:47 +1000, Richard Green <richardgreen1965 at gmail dot com> wrote:
> 
> 
> I am attempting to set up an IPSEC tunnel to a Cisco Pix box, so far no 
> success.
> 
> Upon a m0n0wall reboot, there are no error messages reported, but the SA is 
> not set up.
> 
> When I subsequently edit (or pretend to edit), then apply the changes, I see 
> this message.
> 
> racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy already exists. 
> anyway replace it: 192.168.157.0/24[0] xxx.xxx.xxx.xxx[0] proto=any dir=out
> 
> So I guess something happens in attempting at least Phase 1, and maybe Phase 
> 2, but it's not successful, and there seems to be no way to see more detailed 
> logging to guide me here.
> 
> How can I see in more detail what is happening from m0n0wall's perspective? Or 
> does anyone see any problems with my configurations below?
> 
> Cheers, Richard
> 
> ---------
> 
> Below is my m0n0wall and pix config. 
> 
> xxx.xxx.xxx.xxx is the network number behind the PIX device
> yyy.yyy.yyy.yyy is the external IP address of the PIX device
> zzz.zzz.zzz.zzz is the WAN address of my m0n0wall device
> 
> M0N0WALL (1.11)
> 
> Phase 1 proposal (Authentication)
> VPN: IPsec: Edit tunnel
> Mode  Tunnel
> Interface: WAN
> Local subnet: LAN Subnet
> Remote subnet: xxx.xxx.xxx.xxx/29
> Remote gateway: yyy.yyy.yyy.yyy
> Negotiation mode: Aggressive (have tried both 'Main mode' and 'Aggressive 
> mode'
> Encryption algorithm: 3DES
> Hash algorithm: MD5
> DH Group: 2
> Lifetime: 86400
> Pre-Shared Key: my-secret
> 
> Phase 2 proposal (SA/Key Exchange)
> Protocol: ESP
> Encryption algorithms: All checked (including 3DES)
> Hash algorithms: All checked (including MD5)
> PFS key group: Off (have tried 1,2,3)
> Lifetime: 86400
> 
> CISCO PIX CONFIGURATION (OS version: Cisco PIX Firewall Version 6.3(4)120
> PIX model: Hardware: PIX-515E)
> 
> access-list cryptomap_20 permit ip xxx.xxx.xxx.xxx 255.255.255.248 
> 192.168.157.0 255.255.255.0 
> 
> sysopt connection permit-ipsec
> 
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
> 
> crypto map some_map 20 ipsec-isakmp
> crypto map some_map 20 match address cryptomap_20
> crypto map some_map 20 set peer zzz.zzz.zzz.zzz
> crypto map some_map 20 set transform-set ESP-3DES-MD5
> crypto map some_map 20 set security-association lifetime seconds 1800 
> kilobytes 4608000
> crypto map some_map interface outside
> 
> isakmp enable outside
> isakmp key my-secret address zzz.zzz.zzz.zzz netmask 255.255.255.255 
> isakmp identity address
> 
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ------------------------------------------------------------
> Mail was checked for spam by the Freeware Edition of No Spam Today!
> The Freeware Edition is free for personal and non-commercial use.
> You can remove this notice by purchasing a full license! To order
> or to find out more please visit: http://www.no-spam-today.com
> 
>