Re: [m0n0wall] m0n0wall to PIX OS version 7.0 VPN tunnel successful

From:	Brett <bretticus at gmail dot com>
To:	Joe Lagreca <lagreca at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch, cbuechler at gmail dot com
Subject:	Re: [m0n0wall] m0n0wall to PIX OS version 7.0 VPN tunnel successful
Date:	Mon, 19 Sep 2005 18:07:10 -0600

Sorry, please do not misinterpret my "thanks anyways" statement. I posted
this email, just to let anyone who may run accross my previous post that I
got it working, that's all. I am more than happy to share. the really sad
part is it was stupidly simple...I used the ASDM pix wizard, so I can't take
any genius credit ;-)

Here is my pix config (192.168.1.0 <http://192.168.1.0>
255.255.255.0<http://255.255.255.0>represents the "protected" LAN
within the PIX.
10.5.1.0 <http://10.5.1.0> 255.255.255.0 <http://255.255.255.0> is, of
course, the local net on the m0n0wall. xxx.xxx.xxx.xxx is substituted for
the remote peer (the m0n0wall) ip address.):

access-list outside_cryptomap_120 extended permit ip
192.168.1.0<http://192.168.1.0>
255.255.255.0 <http://255.255.255.0> 10.5.1.0 <http://10.5.1.0>
255.255.255.0 <http://255.255.255.0>
access-list inside_nat0_outbound extended permit ip
192.168.1.0<http://192.168.1.0>
255.255.255.0 <http://255.255.255.0> 10.5.1.0 <http://10.5.1.0>
255.255.255.0 <http://255.255.255.0>

nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer xxx.xxx.xxx.xxx
crypto map outside_map 120 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
!

My m0n0wall config is:

Phase 1
Negotiation mode: main
My identifier: My IP Address
Encryption algorithm: 3DES
Hash algorithm : SHA1
DH key group: 2
Lifetime: 86400

Phase 2
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1
PFS key group: off

My System:
Version 1.11
built on Thu Nov 11 23:02:41 CET 2004
Platform generic-pc

enjoy

P.S. Great work Chris! I'll be showing proper appreciation one of these days
(well, proper for my budget ;-)

On 9/19/05, Joe Lagreca <lagreca at gmail dot com> wrote:
>
> Brett,
>
> It would be helpful to others to have your config file posted to the
> list. That way if someone else runs into this problem, they won't
> have to solve it all over again.
>
> Joe
>
> On 9/19/05, Brett <bretticus at gmail dot com> wrote:
> > >
> > > Hi,
> > >
> > > Just wondering if anyone out there has successfully brought up a VPN
> > > tunnel between a PIX with OS version 7.0. If so, could you post your
> > > config or offer any tips. I am willing to post my configurations, I
> > > was just wondering if it's been done before (cannot find any examples,
> > > etc. in google.)
> > >
> > > Thanks!
> > >
> >
> >
> > Got it working. thanks anyway.
> >
> > Brett
> >
> >
>