[ previous ] [ next ] [ threads ]
 
 From:  "Claude Morin" <klodefactor at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  fixed: IPsec tunnel to Cisco VPN 3005 starts only when started from the m0n0wall, and fails when started from the Cisco
 Date:  Wed, 30 Aug 2006 20:37:39 -0400 
I had another coffee and did some more thinking, then tweaked the Cisco
config and got it to work! *sigh*

If anyone's interested, here are the two different fixes I found, i.e. you
only need to make one of these changes:

   - cheesy: I had to change the Cisco's "IKE Proposal" from
   IKE-3DES-MD5-DH1 to IKE-3DES-MD5.
   - better: change the m0n0wall's "Phase 1 -> DH key group" from 2 to 1.

So, the Cisco side would be: PSK, ESP/SHA/HMAC-160, encr 3DES, IKE proposal
IKE-3DES-MD5-DH1.

Two additional points:

   - I also noticed a warning in the m0n0wall's logs, about mismatched
   authtypes.  Changing the Cisco's "Authentication" from ESP/MD5/HMAC-128 to
   ESP/SHA/HMAC-160 fixed that warning.
   - During my reading, I came across this m0n0wall mailing list message
   from Dec 2003 <http://m0n0.ch/wall/list-dev/showmsg.php?id=0/6>.  I
   may try the suggested change later, because I'd like to switch from 3DES to
   AES-256.

Sorry for the noise.  Hopefully these messages will someday help someone
with the same problem :-)

-klode

On 8/30/06, Claude Morin <klodefactor at gmail dot com> wrote:
>
> This is my second time configuring an IPsec tunnel between a m0n0wall (
> v1.22) and a Cisco VPN 3005 concentrator.  I'm having a problem where if I
> bring up the tunnel by pinging from the m0n0wall LAN to the Cisco LAN, it
> comes up fine.  If I try to bring up the tunnel by pinging from the Cisco
> LAN to the m0n0wall LAN, it fails, until something is initiated from the
> m0n0wall side.  Two additional notes:
>
>    - Yes, my tunnel definition on the Cisco side is set to
>    "Bi-directional" :-)
>    - The tunnel also doesn't come up if I try to initiate it with a
>    ping from the Cisco itself.
>
> Details of the failure ( i.e. with tunnel down, ping from Cisco LAN to
> m0n0wall LAN):
>
>    - the Cisco's logs just show repeated "New Phase 1" entries, as it
>    tries to bring up the tunnel.
>    - m0n0wall's Diagnostics->IPsec->SAD info shows no entries
>    - Here are the m0n0wall log entries:
>
> Aug 31 00:25:46     racoon: INFO: respond new phase 1 negotiation:
> M0N0WALL-IP[500]<=>CISCOVPN-IP[500]
> Aug 31 00:25:46     racoon: INFO: begin Identity Protection mode.
> Aug 31 00:25:46     racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02
> Aug 31 00:25:46     racoon: INFO: received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-03
> Aug 31 00:25:46     racoon: INFO: received broken Microsoft ID:
> FRAGMENTATION
> Aug 31 00:25:46     racoon: ERROR: rejected dh_group:
> DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:768-bit MODP
> group
> Aug 31 00:25:46     racoon: ERROR: no suitable proposal found.
> Aug 31 00:25:46     racoon: ERROR: failed to get valid proposal.
> Aug 31 00:25:46     racoon: ERROR: failed to process packet.
> The sixth line (in bold) looks suspicious, but I don't know enough to
> figure out what it means :-(.  Any ideas?
>
>    - Possibly relevant: if I then ping from the m0n0wall LAN to the
>    Cisco LAN, the tunnel comes up, but the SAD shows duplicate entries.
>    I.e. instead of only one entry for each direction of the tunnel,
>    there are two; each entry has a different SPI.
>       - Note: if I bring up the tunnel from the m0n0wall side, then
>       ping from the Cisco side, the m0n0wall SAD does not have
>       duplicate entries.
>
> I thought I'd include just this description in case someone has
> experienced this and knows the answer.  If not, I can provide detailed
> configuration info, logs, etc. to anyone who is interested.
>
> Thanks in advance for any help with this.
> -klode
>