[ previous ] [ next ] [ threads ]
 
 From:  "Stovall, Adrian M." <Adrian dot Stovall at durez dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Cisco - M0n0wall ipsec VPN question
 Date:  Thu, 15 Sep 2005 11:48:47 -0500
tunnel creation, auth, etc are indeed working, but only when initiated
from the Cisco end.

I'd be happy to look at anything at all in the setup, and provide
whatever details anyone thinks would be helpful...just looking for
advice on what to check.

Synopsis again:  tunnel gets created when done from cisco end.  No-start
from m0m0 end.  icmp packets 992 bytes or smaller are passed in either
direction with tunnel up (larger packets don't make it).  hosts on m0n0
end cannot connect to hosts on cisco end with tunnel up.  hosts on cisco
end *can* connect to hosts on m0n0 end with tunnel up.  eth MTU on m0n0
is 1500, eth MTU on cisco is 1380.

Any comments are appreciated, and I do mean *any* (well, any comments
related to this issue).


Adrian Stovall

#-----Original Message-----
#From: Daniele Guazzoni [mailto:daniele dot guazzoni at gcomm dot ch] 
#Sent: Wednesday, September 14, 2005 6:30 PM
#To: 'm0n0wall at lists dot m0n0 dot ch'
#Subject: Re: [m0n0wall] Cisco - M0n0wall ipsec VPN question
#
#Yep, but X-Auth can be disabled.
#
#But the problem here sounds like remote network mismatch.
#
#
#Daniele
#
#Sikosis wrote:
#> I thought Cisco uses X-Auth which is why it's not supported by m0n0 ?
#> 
#> 
#> On 9/15/05, Stovall, Adrian M. <Adrian dot Stovall at durez dot com> wrote:
#> 
#>>I don't know (and I'll have to ask the admin at the site the 
#m0n0wall 
#>>box is at...that end of the tunnel is a new part of our network that 
#>>we're trying to get connected).
#>>
#>>Where do I tell him to look to find out?
#>>
#>>
#>>Adrian Stovall
#>>
#>>#-----Original Message-----
#>>#From: Jonathan S. Romero [mailto:jromero at raydiance dash inc dot com]
#>>#Sent: Wednesday, September 14, 2005 2:49 PM
#>>#To: Stovall, Adrian M.
#>>#Cc: m0n0wall at lists dot m0n0 dot ch
#>>#Subject: Re: [m0n0wall] Cisco - M0n0wall ipsec VPN question # #Does 
#>>m0n0wall use explicit congestion notification?  These 
##symptoms sound 
#>>like something I was experiencing last week on #a linux system.
#>>#
#>>#-JonnyRo
#>>#
#>>#On Wed, 2005-09-14 at 14:23 -0500, Stovall, Adrian M. wrote:
#>>#> Hi all.
#>>#>
#>>#> I have a peculiar problem between a Cisco router and a 
#m0n0wall box 
#>>#> running the latest beta.
#>>#>
#>>#> Here are the symptoms and some details (more detailed ones are #> 
#>>hopefully coming soon):
#>>#>
#>>#>
#>>#> pings sent from the cisco side of the tunnel will bring 
#the #tunnel 
#>>up #> with no problem.
#>>#>
#>>#> pings sent from the m0n0 side will not bring the tunnel up.
#>>#>
#>>#> normal TCP connections initiated from the cisco side of 
#the #tunnel 
#>>are #> successful (tested with browsers and remote administrator).
#>>#>
#>>#> normal TCP connections initiated from the m0n0 side of 
#the #tunnel 
#>>are #> unsuccessful (telnets to any given port result in timeouts).
#>>#>
#>>#> pings in both directions to devices on the internal 
#networks on the 
#>>#> opposing side of the tunnel work fine up to 992 bytes.
#>>#>
#>>#> MTU on the ethernet interface of the cisco is set to 1380.
#>>#>
#>>#> MTU on the internal (and external) interface of the m0n0 box #is 
#>>set to #> 1500.
#>>#>
#>>#> Both routers are connected to the internet via T-1's (m0n0wall is 
#>>in #> Detroit on a connection from BrightHouse, cisco is in 
#Dallas on 
#>>a #> connection from Qwest).
#>>#>
#>>#> At this point, I've seen in the m0n0wall logs that all traffic #> 
#>>destined for the other side of the tunnel is allowed, and that there 
#>>#> are no incoming packets getting denied on the cisco, so 
#I'm shying 
#>>#> away from packet-filtering trouble.
#>>#>
#>>#> Does anyone have any ideas on what I should be looking at next?  
#>>The #> idea of a one-way tunnel is interesting, but not 
#especially handy.
#>>#>
#>>#>
#>>#>
#>>#> Adrian Stovall
#>>#>
#>>#>
#>>#>
#>>#>
#>>#> 
#>>---------------------------------------------------------------------
#>>#> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
#>>#> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch #>
#>>#--
#>>#Jonathan S. Romero <jromero at raydiance dash inc dot com> Raydiance Inc.
#>>#
#>>#
#>>
#>>---------------------------------------------------------------------
#>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
#>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
#>>
#>>
#> 
#> 
#> 
#
#-- 
#
#
#
#	best regards
#
#------------------------------------------------------------------
#Daniele Guazzoni
#Senior Network Engineer, CCNA, CCNP
#
#Ackersteinstrasse 203
#CH-8049 Zurich
#------------------------------------------------------------------
#"Destiny is not a matter of chance, it is a matter of choice; 
#it is not a thing to be waited for, it is a thing to be achieved."
#					William Jennings Bryan
#
#
#---------------------------------------------------------------------
#To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
#For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
#
#