[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  "Stovall, Adrian M." <Adrian dot Stovall at durez dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Cisco - M0n0wall ipsec VPN question
 Date:  Thu, 15 Sep 2005 20:40:17 -0400
Adrian,

I can offer you screen shots of my m0n0 IPSEC config that is connected 
to a Cisco router with a current IOS.  I'll email them to you seperately 
because they won't post here.

Chris


Stovall, Adrian M. wrote:

>tunnel creation, auth, etc are indeed working, but only when initiated
>from the Cisco end.
>
>I'd be happy to look at anything at all in the setup, and provide
>whatever details anyone thinks would be helpful...just looking for
>advice on what to check.
>
>Synopsis again:  tunnel gets created when done from cisco end.  No-start
>from m0m0 end.  icmp packets 992 bytes or smaller are passed in either
>direction with tunnel up (larger packets don't make it).  hosts on m0n0
>end cannot connect to hosts on cisco end with tunnel up.  hosts on cisco
>end *can* connect to hosts on m0n0 end with tunnel up.  eth MTU on m0n0
>is 1500, eth MTU on cisco is 1380.
>
>Any comments are appreciated, and I do mean *any* (well, any comments
>related to this issue).
>
>
>Adrian Stovall
>
>#-----Original Message-----
>#From: Daniele Guazzoni [mailto:daniele dot guazzoni at gcomm dot ch] 
>#Sent: Wednesday, September 14, 2005 6:30 PM
>#To: 'm0n0wall at lists dot m0n0 dot ch'
>#Subject: Re: [m0n0wall] Cisco - M0n0wall ipsec VPN question
>#
>#Yep, but X-Auth can be disabled.
>#
>#But the problem here sounds like remote network mismatch.
>#
>#
>#Daniele
>#
>#Sikosis wrote:
>#> I thought Cisco uses X-Auth which is why it's not supported by m0n0 ?
>#> 
>#> 
>#> On 9/15/05, Stovall, Adrian M. <Adrian dot Stovall at durez dot com> wrote:
>#> 
>#>>I don't know (and I'll have to ask the admin at the site the 
>#m0n0wall 
>#>>box is at...that end of the tunnel is a new part of our network that 
>#>>we're trying to get connected).
>#>>
>#>>Where do I tell him to look to find out?
>#>>
>#>>
>#>>Adrian Stovall
>#>>
>#>>#-----Original Message-----
>#>>#From: Jonathan S. Romero [mailto:jromero at raydiance dash inc dot com]
>#>>#Sent: Wednesday, September 14, 2005 2:49 PM
>#>>#To: Stovall, Adrian M.
>#>>#Cc: m0n0wall at lists dot m0n0 dot ch
>#>>#Subject: Re: [m0n0wall] Cisco - M0n0wall ipsec VPN question # #Does 
>#>>m0n0wall use explicit congestion notification?  These 
>##symptoms sound 
>#>>like something I was experiencing last week on #a linux system.
>#>>#
>#>>#-JonnyRo
>#>>#
>#>>#On Wed, 2005-09-14 at 14:23 -0500, Stovall, Adrian M. wrote:
>#>>#> Hi all.
>#>>#>
>#>>#> I have a peculiar problem between a Cisco router and a 
>#m0n0wall box 
>#>>#> running the latest beta.
>#>>#>
>#>>#> Here are the symptoms and some details (more detailed ones are #> 
>#>>hopefully coming soon):
>#>>#>
>#>>#>
>#>>#> pings sent from the cisco side of the tunnel will bring 
>#the #tunnel 
>#>>up #> with no problem.
>#>>#>
>#>>#> pings sent from the m0n0 side will not bring the tunnel up.
>#>>#>
>#>>#> normal TCP connections initiated from the cisco side of 
>#the #tunnel 
>#>>are #> successful (tested with browsers and remote administrator).
>#>>#>
>#>>#> normal TCP connections initiated from the m0n0 side of 
>#the #tunnel 
>#>>are #> unsuccessful (telnets to any given port result in timeouts).
>#>>#>
>#>>#> pings in both directions to devices on the internal 
>#networks on the 
>#>>#> opposing side of the tunnel work fine up to 992 bytes.
>#>>#>
>#>>#> MTU on the ethernet interface of the cisco is set to 1380.
>#>>#>
>#>>#> MTU on the internal (and external) interface of the m0n0 box #is 
>#>>set to #> 1500.
>#>>#>
>#>>#> Both routers are connected to the internet via T-1's (m0n0wall is 
>#>>in #> Detroit on a connection from BrightHouse, cisco is in 
>#Dallas on 
>#>>a #> connection from Qwest).
>#>>#>
>#>>#> At this point, I've seen in the m0n0wall logs that all traffic #> 
>#>>destined for the other side of the tunnel is allowed, and that there 
>#>>#> are no incoming packets getting denied on the cisco, so 
>#I'm shying 
>#>>#> away from packet-filtering trouble.
>#>>#>
>#>>#> Does anyone have any ideas on what I should be looking at next?  
>#>>The #> idea of a one-way tunnel is interesting, but not 
>#especially handy.
>#>>#>
>#>>#>
>#>>#>
>#>>#> Adrian Stovall
>#>>#>
>#>>#>
>#>>#>
>#>>#>
>#>>#> 
>#>>---------------------------------------------------------------------
>#>>#> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>#>>#> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch #>
>#>>#--
>#>>#Jonathan S. Romero <jromero at raydiance dash inc dot com> Raydiance Inc.
>#>>#
>#>>#
>#>>
>#>>---------------------------------------------------------------------
>#>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>#>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>#>>
>#>>
>#> 
>#> 
>#> 
>#
>#-- 
>#
>#
>#
>#	best regards
>#
>#------------------------------------------------------------------
>#Daniele Guazzoni
>#Senior Network Engineer, CCNA, CCNP
>#
>#Ackersteinstrasse 203
>#CH-8049 Zurich
>#------------------------------------------------------------------
>#"Destiny is not a matter of chance, it is a matter of choice; 
>#it is not a thing to be waited for, it is a thing to be achieved."
>#					William Jennings Bryan
>#
>#
>#---------------------------------------------------------------------
>#To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>#For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>#
>#
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>