[ previous ] [ next ] [ threads ]
 
 From:  Richard Green <richardgreen1965 at gmail dot com>
 To:  "David Kitchens" <spider at webweaver dot com>, "henry" <henry at ttcomaha dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC tunnel to Cisco PIX
 Date:  Fri, 8 Jul 2005 11:58:29 +1000
Henry wrote:

me.
> http://m0n0.ch/wall/docbook/examplevpn.html#id2600839

Yes saw that. My config matches (have also tried with just the specific Phase 
2 settings of  - MD5 and 3DES to cut down the negotiation opions...).

David Kitchens wrote:
> I tried a very similar setup a month or so back. The fix was to buy another
> Soekris and ship it to the remote location using monowall! One of two Cisco
> routers had died and I replaced it with a Soekris. 

Unfortunately that means I can't just swap it out for another system. Grrr.

Yes I like m0n0wall for many reasons - I just wish I could get verbose logging 
when I want it! 

-richard





> I had a few guys look at 
> my config which is very simular to yours and nobody could get them to talk.
> Chris has a nice writeup in the DocBook about it but it didn't work in my
> situation. I spent way too many hours trying to make it work and in 5 min I
> had the shipped M0n0wall with vpn running by walking a guy on the phone
> thru what wire to pull out of the cisco and put into the Soekris box. Shame
> to throw out that expensive Cisco! Cheers to M0n0wall for being so much
> easier and friendly to use! Not a bit of VPN drop since it was installed!
> :)
>
> Dave
>
> > -----Original Message-----
> > From: Richard Green [mailto:richardgreen1965 at gmail dot com]
> > Sent: Thursday, July 07, 2005 9:15 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] IPSEC tunnel to Cisco PIX
> >
> >
> > I am attempting to set up an IPSEC tunnel to a Cisco Pix box,
> > so far no success.
> >
> > Upon a m0n0wall reboot, there are no error messages reported,
> > but the SA is not set up.
> >
> > When I subsequently edit (or pretend to edit), then apply the
> > changes, I see this message.
> >
> > racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy
> > already exists.
> > anyway replace it: 192.168.157.0/24[0] xxx.xxx.xxx.xxx[0]
> > proto=any dir=out
> >
> > So I guess something happens in attempting at least Phase 1,
> > and maybe Phase 2, but it's not successful, and there seems
> > to be no way to see more detailed logging to guide me here.
> >
> > How can I see in more detail what is happening from
> > m0n0wall's perspective? Or does anyone see any problems with
> > my configurations below?
> >
> > Cheers, Richard
> >
> > ---------
> >
> > Below is my m0n0wall and pix config.
> >
> > xxx.xxx.xxx.xxx is the network number behind the PIX device
> > yyy.yyy.yyy.yyy is the external IP address of the PIX device
> > zzz.zzz.zzz.zzz is the WAN address of my m0n0wall device
> >
> > M0N0WALL (1.11)
> >
> > Phase 1 proposal (Authentication)
> > VPN: IPsec: Edit tunnel
> > Mode  Tunnel
> > Interface: WAN
> > Local subnet: LAN Subnet
> > Remote subnet: xxx.xxx.xxx.xxx/29
> > Remote gateway: yyy.yyy.yyy.yyy
> > Negotiation mode: Aggressive (have tried both 'Main mode' and
> > 'Aggressive mode'
> > Encryption algorithm: 3DES
> > Hash algorithm: MD5
> > DH Group: 2
> > Lifetime: 86400
> > Pre-Shared Key: my-secret
> >
> > Phase 2 proposal (SA/Key Exchange)
> > Protocol: ESP
> > Encryption algorithms: All checked (including 3DES) Hash
> > algorithms: All checked (including MD5) PFS key group: Off
> > (have tried 1,2,3)
> > Lifetime: 86400
> >
> > CISCO PIX CONFIGURATION (OS version: Cisco PIX Firewall
> > Version 6.3(4)120 PIX model: Hardware: PIX-515E)
> >
> > access-list cryptomap_20 permit ip xxx.xxx.xxx.xxx
> > 255.255.255.248 192.168.157.0 255.255.255.0
> >
> > sysopt connection permit-ipsec
> >
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> >
> > crypto map some_map 20 ipsec-isakmp
> > crypto map some_map 20 match address cryptomap_20 crypto map
> > some_map 20 set peer zzz.zzz.zzz.zzz crypto map some_map 20
> > set transform-set ESP-3DES-MD5 crypto map some_map 20 set
> > security-association lifetime seconds 1800 kilobytes 4608000
> > crypto map some_map interface outside
> >
> > isakmp enable outside
> > isakmp key my-secret address zzz.zzz.zzz.zzz netmask
> > 255.255.255.255 isakmp identity address
> >
> > isakmp policy 20 authentication pre-share isakmp policy 20
> > encryption 3des isakmp policy 20 hash md5 isakmp policy 20
> > group 2 isakmp policy 20 lifetime 86400
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

-- 

____________________________________________________________
Please note my new email address, richardgreen1965 at gmail dot com