[ previous ] [ next ] [ threads ]
 
 From:  "Don Gray" <don at netcaliber dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Pix-Mono VPN SA Issue
 Date:  Mon, 1 Aug 2005 10:41:07 -0700
I've recently setup a m0n0-to-PIX VPN following the instructions in the docs
(http://m0n0.ch/wall/docbook/examplevpn.html#id2600839) but have run across
a weird issue.  I can establish the connection if I ping from the m0n0
subnet to the PIX subnet but NOT vice-versa.  The PIX is on a T-1 and the
m0n0 box is connected to a satellite router.  When pinging from the m0n0
side the SA is established and shows up on both the PIX and m0n0 box.  Once
the connection is up I can ping back from the PIX subnet.  I just can't
establish the connection from the PIX side if the VPN is down.  I've
searched the archive and Cisco docs but haven't found the answer...can some
help?  I've included the pertinent configs and log messages below.  Thanks!

Don Gray


My PIX config:
--------------
sysopt connection permit-ipsec

crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 86400
crypto map monovpnmap 10 ipsec-isakmp
crypto map monovpnmap 10 match address monovpn
crypto map monovpnmap 10 set peer 69.71.149.219
crypto map monovpnmap 10 set transform-set monovpnset
crypto map monovpnmap 10 set security-association lifetime seconds 28800
kilobytes 4608000
crypto map monovpnmap interface outside

isakmp enable outside
isakmp key ******** address 69.XXX.YYY.ZZZ netmask 255.255.255.255 no-xauth
no-config-mode 
isakmp identity address
isakmp log 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

access-list monovpn permit ip 192.168.71.0 255.255.255.0 192.168.1.0
255.255.255.0 
access-list monovpn permit ip any 192.168.71.240 255.255.255.248 
access-list monovpn permit ip 192.168.1.0 255.255.255.0 192.168.71.0
255.255.255.0 

nat (inside) 0 access-list monovpn


M0n0wall Config:
-----------------

Interface: WAN
Local Subnet: LAN Subnet
Remote Subnet:  192.168.71.0/24
Remote Gateway: 66.XXX.YYY.ZZZ

Phase 1
Negotiation Mode: Aggressive
My Identifier: IP Address 69.XXX.YYY.ZZZ  (I've tried 'MY IP ADDRESS' here
also)
Encrypt:  3DES
Hash:  MD5
DH Key: 2 (1024bit)
Lifetime:  86400
Pre-Shared Key:  <mykey>

Phase 2
Proto:  ESP
Encrypt:  3DES Only
Hash:  MD5 Only
PFS Key Group:  Off  (I've tried '2' here also)
Lifetime:  86400


When trying to establish connection from the PIX side, m0n0 error log
reports:
----------------------------------------------------------------------------
---

racoon: ERROR: isakmp.c:870:isakmp_ph1begin_r(): not acceptable Identity
Protection mode

And PIX Debug shows:
----------------------

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer
fired: count = 1,
  (identity) local= 66.39.166.21, remote= 69.71.149.219, 
    local_proxy= 192.168.71.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 66.39.166.21, dst 69.71.149.219
ISADB: reaper checking SA 0xb10874, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 69.71.149.219/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 66.39.166.21, remote= 69.71.149.219, 
    local_proxy= 192.168.71.0/255.255.255.0/0/0 (type=4), 
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)