On Sun, 10 Jul 2005 11:29 am, Chris Buechler wrote:
> On 7/9/05, • • <googl3meister at gmail dot com> wrote:
> > On 7/8/05, Richard Green <richardgreen1965 at gmail dot com> wrote:
> > > Henry wrote:
> > > > Have you tried this link. I followed these directions an dit works
> > > > fine for
> > >
> > > me.
> > >
> > > > http://m0n0.ch/wall/docbook/examplevpn.html#id2600839
> > >
> > > Yes saw that. My config matches (have also tried with just the specific
> > > Phase 2 settings of - MD5 and 3DES to cut down the negotiation
> > > opions...).
> > Are you certain - I can't see where you're disabling NAT on the VPN
> > packets so they route correctly?
> > From that link:
> > Last step is to tell the PIX to not use NAT on the packets using this
> > VPN connection and route them instead.
> > [...]
> > access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0
> > 255.255.255.0 access-list no-nat permit ip 10.0.1.0 255.255.255.0
> > 10.0.0.0 255.255.255.0
> From the racoon logs, which as verbose as they can be still don't tell
> you much, you didn't mention anything that sounds like it can't
> negotiate. Go to the Diagnostics -> IPsec screen on your m0n0wall and
> see if you have anything in your SAD. If you do, you have something
> messed up on the PIX (possibly the no-NAT, as mentioned above).
> Otherwise check out the debug isakmp commands on the PIX. When I've
> gotten m0n0wall to PIX tunnels up in the past (and wrote the document
> mentioned earlier), the PIX debug was slightly more helpful than the
> racoon logs.
Thanks there's no entry in SAD - looks like the security association is not
set up correctly. I'll see if I can get the data centre to do some diagnosis
from their end as unfortunately that's not within my direct control.
Please note my new email address, richardgreen1965 at gmail dot com