[ previous ] [ next ] [ threads ]
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Jonathan Lydall <jonathan dot lydall at za dot ods dot co dot za>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0n0wall / Cisco Router IPSEC tunnel doesn't seem to come back up automaticly after network problems
 Date:  Tue, 21 Feb 2006 07:33:28 -0500
I concur with the rest.  Have a Cisco--M0n0wall IPSEC tunnel here, and 
the lifetimes were the key to making it work reliably.  If they don't 
match, funny things happen like what you are experiencing.


Jonathan Lydall wrote:

>After some trial and error, I managed to create an IPSec tunnel between a
>m0n0wall box and a Cisco Router and traffic was flowing perfectly between
>the two networks. I went home, and left a technician on the remote side to
>set up his Windows Server in London to talk to our Windows Server here in
>Johannesburg, South Africa. He called me about an hour later informing me
>they had a power outage and the tunnel wasn't coming back up, I assumed I
>had forgotten to write the Cisco router's config, but turns out I had
>actually written it, but what I needed to do was restart the IPSec tunnel on
>my m0n0wall box.
>After Googling and searching through m0n0wall's archives I found that dasz,
>Mark and Sean seem to have the same/similar issue
>(http://m0n0.ch/wall/list/showmsg.php?id=231/34), but didn't seem to end up
>finding a solution.
>Seeing as I battled to find exact documentation for a m0n0wall IPSec
>connection specifically to a Cisco Router, figured I may as well to post it
>here for the next person trying the same thing, or something similiar:
>Router is a Cisco 837 from looks of things:
>Cisco C837 (MPC857DSL) processor (revision 0x501) with 44237K/4915K bytes of
>Processor board ID FOC08493FWZ (1775087769), with hardware revision 0000
>CPU rev number 7
>1 Ethernet interface
>4 FastEthernet interfaces
>1 ATM interface
>128K bytes of NVRAM.
>12288K bytes of processor board System flash (Read/Write)
>2048K bytes of processor board Web flash (Read/Write)
>Johannesburg LAN (m0n0wall on leased line) uses
>London LAN (Cisco ADSL Router) uses
>Here is the relevant config in regards to the IPSEC tunnel for the Cisco
>Router, doesn't seem to matter what kind of uplink you have, just that there
>is a "crypto map" command on the "public" interface of the device, in my
>case dialer1, I have omitted anything that is not really related to the
>crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
>crypto isakmp key <shared-secret> address <m0n0wall-public-ipaddress>
>crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
>crypto map mymap 1 ipsec-isakmp
> set peer <m0n0wall-public-ipaddres>
> set transform-set trans1
> match address 102
>interface Dialer1
> crypto map mymap
>access-list 102 permit ip
>We have a leased line in Johannesburg with a routed IP configured on the WAN
>of the m0n0wall box. This box has been doing 100% trouble-free NAT at this
>site for over a year, it has a cd-rom with m0n0wall on and a floppy disk for
>the config. I burnt the latest m0n0wall to CD, popped it in, restarted and
>the box just worked with the newer version :), I then selected IPSec under
>VPN, hit the "+" button, and used the following options:
>Interface: WAN
>Local subnet: Type: LAN Subnet
>Remote subnet:
>Remote Gateway: <london-cisco-router-public-ip>
>Description: London Office
>Phase 1:
>Negotiation Mode: aggressive
>My identifier: My IP address:
>Encryption algorithm: 3DES
>Hash algorithm: MD5
>DH key group: 2
>Lifetime: 14400
>Authentication method: pre-shared key
>Phase 2:
>Protocol: ESP
>Encryption algorithms: only 3DES selected
>Hash algorithms: only MD5 selected
>PFS key group: off
>Lifetime: 14400
>While I have done routing and NAT on Cisco's for several years, I'm no Cisco
>certified engineer or anything, and never done IPSec before, so took me a
>while to work out the Cisco router config, but I seemed to get it working in
>the end. Problem is that if I do a restart of the Cisco, tunnel won't come
>back up until I either restart the m0n0wall box completely or click the
>"Save" button in the VPN->IPSec page.
>Ideally I need the system to bring itself back up after any interruptions,
>so any solution to this problem would be greatly appreciated.
>Many Thanks,
>Jonathan Lydall
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch