[ previous ] [ next ] [ threads ]
 
 From:  "Don Gray" <don at netcaliber dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Cisco - M0n0wall ipsec VPN question
 Date:  Thu, 15 Sep 2005 18:42:28 -0700
Interesting...I have the same problem but in reverse.  I can open the tunnel
from the m0n0 side but not from the Cisco side (in my case a PIX).  Once the
tunnel is open traffic passes back and forth fine. 

Don Gray

-----Original Message-----
From: Stovall, Adrian M. [mailto:Adrian dot Stovall at durez dot com] 
Sent: Wednesday, September 14, 2005 12:24 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Cisco - M0n0wall ipsec VPN question

Hi all.

I have a peculiar problem between a Cisco router and a m0n0wall box running
the latest beta.

Here are the symptoms and some details (more detailed ones are hopefully
coming soon):


pings sent from the cisco side of the tunnel will bring the tunnel up with
no problem.

pings sent from the m0n0 side will not bring the tunnel up.

normal TCP connections initiated from the cisco side of the tunnel are
successful (tested with browsers and remote administrator).

normal TCP connections initiated from the m0n0 side of the tunnel are
unsuccessful (telnets to any given port result in timeouts).

pings in both directions to devices on the internal networks on the opposing
side of the tunnel work fine up to 992 bytes.

MTU on the ethernet interface of the cisco is set to 1380.

MTU on the internal (and external) interface of the m0n0 box is set to 1500.

Both routers are connected to the internet via T-1's (m0n0wall is in Detroit
on a connection from BrightHouse, cisco is in Dallas on a connection from
Qwest).

At this point, I've seen in the m0n0wall logs that all traffic destined for
the other side of the tunnel is allowed, and that there are no incoming
packets getting denied on the cisco, so I'm shying away from
packet-filtering trouble.

Does anyone have any ideas on what I should be looking at next?  The idea of
a one-way tunnel is interesting, but not especially handy.



Adrian Stovall




---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch