Yes saw that. My config matches (have also tried with just the specific Phase
2 settings of - MD5 and 3DES to cut down the negotiation opions...).
David Kitchens wrote:
> I tried a very similar setup a month or so back. The fix was to buy another
> Soekris and ship it to the remote location using monowall! One of two Cisco
> routers had died and I replaced it with a Soekris.
Unfortunately that means I can't just swap it out for another system. Grrr.
Yes I like m0n0wall for many reasons - I just wish I could get verbose logging
when I want it!
> I had a few guys look at
> my config which is very simular to yours and nobody could get them to talk.
> Chris has a nice writeup in the DocBook about it but it didn't work in my
> situation. I spent way too many hours trying to make it work and in 5 min I
> had the shipped M0n0wall with vpn running by walking a guy on the phone
> thru what wire to pull out of the cisco and put into the Soekris box. Shame
> to throw out that expensive Cisco! Cheers to M0n0wall for being so much
> easier and friendly to use! Not a bit of VPN drop since it was installed!
> > -----Original Message-----
> > From: Richard Green [mailto:richardgreen1965 at gmail dot com]
> > Sent: Thursday, July 07, 2005 9:15 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] IPSEC tunnel to Cisco PIX
> > I am attempting to set up an IPSEC tunnel to a Cisco Pix box,
> > so far no success.
> > Upon a m0n0wall reboot, there are no error messages reported,
> > but the SA is not set up.
> > When I subsequently edit (or pretend to edit), then apply the
> > changes, I see this message.
> > racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy
> > already exists.
> > anyway replace it: 192.168.157.0/24 xxx.xxx.xxx.xxx
> > proto=any dir=out
> > So I guess something happens in attempting at least Phase 1,
> > and maybe Phase 2, but it's not successful, and there seems
> > to be no way to see more detailed logging to guide me here.
> > How can I see in more detail what is happening from
> > m0n0wall's perspective? Or does anyone see any problems with
> > my configurations below?
> > Cheers, Richard
> > ---------
> > Below is my m0n0wall and pix config.
> > xxx.xxx.xxx.xxx is the network number behind the PIX device
> > yyy.yyy.yyy.yyy is the external IP address of the PIX device
> > zzz.zzz.zzz.zzz is the WAN address of my m0n0wall device
> > M0N0WALL (1.11)
> > Phase 1 proposal (Authentication)
> > VPN: IPsec: Edit tunnel
> > Mode Tunnel
> > Interface: WAN
> > Local subnet: LAN Subnet
> > Remote subnet: xxx.xxx.xxx.xxx/29
> > Remote gateway: yyy.yyy.yyy.yyy
> > Negotiation mode: Aggressive (have tried both 'Main mode' and
> > 'Aggressive mode'
> > Encryption algorithm: 3DES
> > Hash algorithm: MD5
> > DH Group: 2
> > Lifetime: 86400
> > Pre-Shared Key: my-secret
> > Phase 2 proposal (SA/Key Exchange)
> > Protocol: ESP
> > Encryption algorithms: All checked (including 3DES) Hash
> > algorithms: All checked (including MD5) PFS key group: Off
> > (have tried 1,2,3)
> > Lifetime: 86400
> > CISCO PIX CONFIGURATION (OS version: Cisco PIX Firewall
> > Version 6.3(4)120 PIX model: Hardware: PIX-515E)
> > access-list cryptomap_20 permit ip xxx.xxx.xxx.xxx
> > 255.255.255.248 192.168.157.0 255.255.255.0
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > crypto map some_map 20 ipsec-isakmp
> > crypto map some_map 20 match address cryptomap_20 crypto map
> > some_map 20 set peer zzz.zzz.zzz.zzz crypto map some_map 20
> > set transform-set ESP-3DES-MD5 crypto map some_map 20 set
> > security-association lifetime seconds 1800 kilobytes 4608000
> > crypto map some_map interface outside
> > isakmp enable outside
> > isakmp key my-secret address zzz.zzz.zzz.zzz netmask
> > 255.255.255.255 isakmp identity address
> > isakmp policy 20 authentication pre-share isakmp policy 20
> > encryption 3des isakmp policy 20 hash md5 isakmp policy 20
> > group 2 isakmp policy 20 lifetime 86400
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Please note my new email address, richardgreen1965 at gmail dot com