[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] M0n0wall / Cisco Router IPSEC tunnel doesn't seem to come back up automaticly after network problems
 Date:  Tue, 21 Feb 2006 00:14:59 -0000
Hello,

Maybe try setting the lifetimes on the Cisco to match the m0n0wall's or 
vice-versa.

Kris.

----- Original Message ----- 
From: "Jonathan Lydall" <jonathan dot lydall at za dot ods dot co dot za>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, February 20, 2006 10:53 PM
Subject: [m0n0wall] M0n0wall / Cisco Router IPSEC tunnel doesn't seem to 
come back up automaticly after network problems


> Hi,
>
> After some trial and error, I managed to create an IPSec tunnel between a
> m0n0wall box and a Cisco Router and traffic was flowing perfectly between
> the two networks. I went home, and left a technician on the remote side to
> set up his Windows Server in London to talk to our Windows Server here in
> Johannesburg, South Africa. He called me about an hour later informing me
> they had a power outage and the tunnel wasn't coming back up, I assumed I
> had forgotten to write the Cisco router's config, but turns out I had
> actually written it, but what I needed to do was restart the IPSec tunnel 
> on
> my m0n0wall box.
>
> After Googling and searching through m0n0wall's archives I found that 
> dasz,
> Mark and Sean seem to have the same/similar issue
> (http://m0n0.ch/wall/list/showmsg.php?id=231/34), but didn't seem to end 
> up
> finding a solution.
>
> Seeing as I battled to find exact documentation for a m0n0wall IPSec
> connection specifically to a Cisco Router, figured I may as well to post 
> it
> here for the next person trying the same thing, or something similiar:
>
> Router is a Cisco 837 from looks of things:
> -------------------------------------------------------------------
> Cisco C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes 
> of
> mem
> ory.
> Processor board ID FOC08493FWZ (1775087769), with hardware revision 0000
> CPU rev number 7
> 1 Ethernet interface
> 4 FastEthernet interfaces
> 1 ATM interface
> 128K bytes of NVRAM.
> 12288K bytes of processor board System flash (Read/Write)
> 2048K bytes of processor board Web flash (Read/Write)
> -------------------------------------------------------------------
>
> Johannesburg LAN (m0n0wall on leased line) uses 192.168.7.0/24
> London LAN (Cisco ADSL Router) uses 10.0.0.0/24
>
> Here is the relevant config in regards to the IPSEC tunnel for the Cisco
> Router, doesn't seem to matter what kind of uplink you have, just that 
> there
> is a "crypto map" command on the "public" interface of the device, in my
> case dialer1, I have omitted anything that is not really related to the
> tunnel:
>
> -------------------------------------------------------------------
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key <shared-secret> address <m0n0wall-public-ipaddress>
> no-xauth
>
> crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
>
> crypto map mymap 1 ipsec-isakmp
> set peer <m0n0wall-public-ipaddres>
> set transform-set trans1
> match address 102
>
> interface Dialer1
> crypto map mymap
>
> access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.7.0 0.0.0.255
> -------------------------------------------------------------------
>
> We have a leased line in Johannesburg with a routed IP configured on the 
> WAN
> of the m0n0wall box. This box has been doing 100% trouble-free NAT at this
> site for over a year, it has a cd-rom with m0n0wall on and a floppy disk 
> for
> the config. I burnt the latest m0n0wall to CD, popped it in, restarted and
> the box just worked with the newer version :), I then selected IPSec under
> VPN, hit the "+" button, and used the following options:
>
> Interface: WAN
> Local subnet: Type: LAN Subnet
> Remote subnet: 10.0.0.0/24
> Remote Gateway: <london-cisco-router-public-ip>
> Description: London Office
>
> Phase 1:
>
> Negotiation Mode: aggressive
> My identifier: My IP address:
> Encryption algorithm: 3DES
> Hash algorithm: MD5
> DH key group: 2
> Lifetime: 14400
> Authentication method: pre-shared key
>
>
> Phase 2:
>
> Protocol: ESP
> Encryption algorithms: only 3DES selected
> Hash algorithms: only MD5 selected
> PFS key group: off
> Lifetime: 14400
>
>
> While I have done routing and NAT on Cisco's for several years, I'm no 
> Cisco
> certified engineer or anything, and never done IPSec before, so took me a
> while to work out the Cisco router config, but I seemed to get it working 
> in
> the end. Problem is that if I do a restart of the Cisco, tunnel won't come
> back up until I either restart the m0n0wall box completely or click the
> "Save" button in the VPN->IPSec page.
>
> Ideally I need the system to bring itself back up after any interruptions,
> so any solution to this problem would be greatly appreciated.
>
> Many Thanks,
>
> Jonathan Lydall
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>