[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC tunnel to Cisco PIX
 Date:  Sat, 9 Jul 2005 21:29:16 -0400
> On 7/8/05, Richard Green <richardgreen1965 at gmail dot com> wrote:
> >
> > Henry wrote:
> > > Have you tried this link. I followed these directions an dit works fine for
> > me.
> > > http://m0n0.ch/wall/docbook/examplevpn.html#id2600839
> >
> > Yes saw that. My config matches (have also tried with just the specific Phase
> > 2 settings of  - MD5 and 3DES to cut down the negotiation opions...).
> >
> 
> Are you certain - I can't see where you're disabling NAT on the VPN
> packets so they route correctly?
> 
> From that link:
> Last step is to tell the PIX to not use NAT on the packets using this
> VPN connection and route them instead.
> [...]
> access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0
> access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
> 

From the racoon logs, which as verbose as they can be still don't tell
you much, you didn't mention anything that sounds like it can't
negotiate.  Go to the Diagnostics -> IPsec screen on your m0n0wall and
see if you have anything in your SAD.  If you do, you have something
messed up on the PIX (possibly the no-NAT, as mentioned above).

Otherwise check out the debug isakmp commands on the PIX.  When I've
gotten m0n0wall to PIX tunnels up in the past (and wrote the document
mentioned earlier), the PIX debug was slightly more helpful than the
racoon logs.

-Chris