|
||||||||
On Sun, 10 Jul 2005 11:29 am, Chris Buechler wrote: > On 7/9/05, • • <googl3meister at gmail dot com> wrote: > > On 7/8/05, Richard Green <richardgreen1965 at gmail dot com> wrote: > > > Henry wrote: > > > > Have you tried this link. I followed these directions an dit works > > > > fine for > > > > > > me. > > > > > > > http://m0n0.ch/wall/docbook/examplevpn.html#id2600839 > > > > > > Yes saw that. My config matches (have also tried with just the specific > > > Phase 2 settings of - MD5 and 3DES to cut down the negotiation > > > opions...). > > > > Are you certain - I can't see where you're disabling NAT on the VPN > > packets so they route correctly? > > > > From that link: > > Last step is to tell the PIX to not use NAT on the packets using this > > VPN connection and route them instead. > > [...] > > access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 > > 255.255.255.0 access-list no-nat permit ip 10.0.1.0 255.255.255.0 > > 10.0.0.0 255.255.255.0 > > From the racoon logs, which as verbose as they can be still don't tell > you much, you didn't mention anything that sounds like it can't > negotiate. Go to the Diagnostics -> IPsec screen on your m0n0wall and > see if you have anything in your SAD. If you do, you have something > messed up on the PIX (possibly the no-NAT, as mentioned above). > > Otherwise check out the debug isakmp commands on the PIX. When I've > gotten m0n0wall to PIX tunnels up in the past (and wrote the document > mentioned earlier), the PIX debug was slightly more helpful than the > racoon logs. > > -Chris Hi Chris Thanks there's no entry in SAD - looks like the security association is not set up correctly. I'll see if I can get the data centre to do some diagnosis from their end as unfortunately that's not within my direct control. Thanks Richard -- ____________________________________________________________ Please note my new email address, richardgreen1965 at gmail dot com |