[ previous ] [ next ] [ threads ]
 From:  "Don Gray" <don at netcaliber dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Pix-Mono VPN SA Issue
 Date:  Wed, 3 Aug 2005 05:09:58 -0700
Nobody have an answer for this?

-----Original Message-----
From: Don Gray [mailto:don at netcaliber dot com] 
Sent: Monday, August 01, 2005 10:41 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Pix-Mono VPN SA Issue

I've recently setup a m0n0-to-PIX VPN following the instructions in the docs
(http://m0n0.ch/wall/docbook/examplevpn.html#id2600839) but have run across
a weird issue.  I can establish the connection if I ping from the m0n0
subnet to the PIX subnet but NOT vice-versa.  The PIX is on a T-1 and the
m0n0 box is connected to a satellite router.  When pinging from the m0n0
side the SA is established and shows up on both the PIX and m0n0 box.  Once
the connection is up I can ping back from the PIX subnet.  I just can't
establish the connection from the PIX side if the VPN is down.  I've
searched the archive and Cisco docs but haven't found the answer...can some
help?  I've included the pertinent configs and log messages below.  Thanks!

Don Gray

My PIX config:
sysopt connection permit-ipsec

crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac crypto ipsec
security-association lifetime seconds 86400 crypto map monovpnmap 10
ipsec-isakmp crypto map monovpnmap 10 match address monovpn crypto map
monovpnmap 10 set peer crypto map monovpnmap 10 set
transform-set monovpnset crypto map monovpnmap 10 set security-association
lifetime seconds 28800 kilobytes 4608000 crypto map monovpnmap interface

isakmp enable outside
isakmp key ******** address 69.XXX.YYY.ZZZ netmask no-xauth
no-config-mode isakmp identity address isakmp log 100 isakmp policy 10
authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10
hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

access-list monovpn permit ip access-list monovpn permit ip any access-list monovpn permit ip 

nat (inside) 0 access-list monovpn

M0n0wall Config:

Interface: WAN
Local Subnet: LAN Subnet
Remote Subnet:
Remote Gateway: 66.XXX.YYY.ZZZ

Phase 1
Negotiation Mode: Aggressive
My Identifier: IP Address 69.XXX.YYY.ZZZ  (I've tried 'MY IP ADDRESS' here
Encrypt:  3DES
Hash:  MD5
DH Key: 2 (1024bit)
Lifetime:  86400
Pre-Shared Key:  <mykey>

Phase 2
Proto:  ESP
Encrypt:  3DES Only
Hash:  MD5 Only
PFS Key Group:  Off  (I've tried '2' here also)
Lifetime:  86400

When trying to establish connection from the PIX side, m0n0 error log

racoon: ERROR: isakmp.c:870:isakmp_ph1begin_r(): not acceptable Identity
Protection mode

And PIX Debug shows:

ISAKMP (0): beginning Main Mode exchange ISAKMP (0): retransmitting phase 1
(0)...IPSEC(key_engine): request timer
fired: count = 1,
  (identity) local=, remote=, 
    local_proxy= (type=4), 
    remote_proxy= (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src, dst
ISADB: reaper checking SA 0xb10874, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local=, remote=, 
    local_proxy= (type=4), 
    remote_proxy= (type=4)

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch