[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Jonathan Lydall <jonathan dot lydall at za dot ods dot co dot za>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0n0wall / Cisco Router IPSEC tunnel doesn't seem to come back up automaticly after network problems
 Date:  Tue, 21 Feb 2006 07:33:28 -0500
I concur with the rest.  Have a Cisco--M0n0wall IPSEC tunnel here, and 
the lifetimes were the key to making it work reliably.  If they don't 
match, funny things happen like what you are experiencing.

Chris


Jonathan Lydall wrote:

>Hi,
>
>After some trial and error, I managed to create an IPSec tunnel between a
>m0n0wall box and a Cisco Router and traffic was flowing perfectly between
>the two networks. I went home, and left a technician on the remote side to
>set up his Windows Server in London to talk to our Windows Server here in
>Johannesburg, South Africa. He called me about an hour later informing me
>they had a power outage and the tunnel wasn't coming back up, I assumed I
>had forgotten to write the Cisco router's config, but turns out I had
>actually written it, but what I needed to do was restart the IPSec tunnel on
>my m0n0wall box.
>
>After Googling and searching through m0n0wall's archives I found that dasz,
>Mark and Sean seem to have the same/similar issue
>(http://m0n0.ch/wall/list/showmsg.php?id=231/34), but didn't seem to end up
>finding a solution.
>
>Seeing as I battled to find exact documentation for a m0n0wall IPSec
>connection specifically to a Cisco Router, figured I may as well to post it
>here for the next person trying the same thing, or something similiar:
>
>Router is a Cisco 837 from looks of things:
>-------------------------------------------------------------------
>Cisco C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes of
>mem
>ory.
>Processor board ID FOC08493FWZ (1775087769), with hardware revision 0000
>CPU rev number 7
>1 Ethernet interface
>4 FastEthernet interfaces
>1 ATM interface
>128K bytes of NVRAM.
>12288K bytes of processor board System flash (Read/Write)
>2048K bytes of processor board Web flash (Read/Write)
>-------------------------------------------------------------------
>
>Johannesburg LAN (m0n0wall on leased line) uses 192.168.7.0/24
>London LAN (Cisco ADSL Router) uses 10.0.0.0/24
>
>Here is the relevant config in regards to the IPSEC tunnel for the Cisco
>Router, doesn't seem to matter what kind of uplink you have, just that there
>is a "crypto map" command on the "public" interface of the device, in my
>case dialer1, I have omitted anything that is not really related to the
>tunnel:
>
>-------------------------------------------------------------------
>crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
>crypto isakmp key <shared-secret> address <m0n0wall-public-ipaddress>
>no-xauth
>
>crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
>
>crypto map mymap 1 ipsec-isakmp
> set peer <m0n0wall-public-ipaddres>
> set transform-set trans1
> match address 102
>
>interface Dialer1
> crypto map mymap
>
>access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.7.0 0.0.0.255
>-------------------------------------------------------------------
>
>We have a leased line in Johannesburg with a routed IP configured on the WAN
>of the m0n0wall box. This box has been doing 100% trouble-free NAT at this
>site for over a year, it has a cd-rom with m0n0wall on and a floppy disk for
>the config. I burnt the latest m0n0wall to CD, popped it in, restarted and
>the box just worked with the newer version :), I then selected IPSec under
>VPN, hit the "+" button, and used the following options:
>
>Interface: WAN
>Local subnet: Type: LAN Subnet
>Remote subnet: 10.0.0.0/24
>Remote Gateway: <london-cisco-router-public-ip>
>Description: London Office
>
>Phase 1:
>
>Negotiation Mode: aggressive
>My identifier: My IP address:
>Encryption algorithm: 3DES
>Hash algorithm: MD5
>DH key group: 2
>Lifetime: 14400
>Authentication method: pre-shared key
>
>
>Phase 2:
>
>Protocol: ESP
>Encryption algorithms: only 3DES selected
>Hash algorithms: only MD5 selected
>PFS key group: off
>Lifetime: 14400
>
>
>While I have done routing and NAT on Cisco's for several years, I'm no Cisco
>certified engineer or anything, and never done IPSec before, so took me a
>while to work out the Cisco router config, but I seemed to get it working in
>the end. Problem is that if I do a restart of the Cisco, tunnel won't come
>back up until I either restart the m0n0wall box completely or click the
>"Save" button in the VPN->IPSec page.
>
>Ideally I need the system to bring itself back up after any interruptions,
>so any solution to this problem would be greatly appreciated.
>
>Many Thanks,
>
>Jonathan Lydall
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>