[ previous ] [ next ] [ threads ]
 
 From:  "Kyle McBride" <kyle dot mcbride at instatservices dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  m0n0wall-to-PIX IPsec Issue: specific host(s) as remote subnet?
 Date:  Thu, 12 Oct 2006 07:49:57 -0700
Greetings,

Need some assistance on m0n0wall to PIX IPSec issue. Cisco guy gave me the
following as his setup, not a subnet specified in his ACL but 3 specific
hosts. The 192.168.87.0/24 is my local subnet on m0n0wall side (below
1.1.1.1 is m0n0wall public IP and 2.2.2.2 is PIX public IP):

access-list nonat extended permit ip host 172.31.0.1 192.168.87.0
255.255.255.0
access-list nonat extended permit ip host 172.31.0.80 192.168.87.0
255.255.255.0
access-list nonat extended permit ip host 172.31.1.90 192.168.87.0
255.255.255.0

access-list 600 extended permit ip host 172.31.0.1 192.168.87.0
255.255.255.0
access-list 600 extended permit ip host 172.31.0.80 192.168.87.0
255.255.255.0
access-list 600 extended permit ip host 172.31.1.90 192.168.87.0
255.255.255.0

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key **************

crypto map newmap 600 match address 600
crypto map newmap 600 set peer 1.1.1.1
crypto map newmap 600 set transform-set ESP-3DES-MD5


Here is the log from m0n0wall.

Oct 12 09:59:03 racoon: INFO: IPsec-SA request for 216.118.82.254 queued due
to no phase1 found. 
Oct 12 09:59:03 racoon: INFO: initiate new phase 1 negotiation:
1.1.1.1[500]<=>2.2.2.2[500] 
Oct 12 09:59:03 racoon: INFO: begin Aggressive mode. 
Oct 12 09:59:03 racoon: INFO: received Vendor ID: CISCO-UNITY 
Oct 12 09:59:03 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt 
Oct 12 09:59:03 racoon: INFO: received Vendor ID: DPD Oct 12 09:59:03
racoon: INFO: received broken Microsoft ID: FRAGMENTATION 
Oct 12 09:59:04 racoon: NOTIFY: couldn't find the proper pskey, try to get
one by the peer's address. 
Oct 12 09:59:04 racoon: INFO: ISAKMP-SA established
1.1.1.1[500]-2.2.2.2[500] spi:4462e312bc98cfde:4bcb25fec10c5cb1 
Oct 12 09:59:04 racoon: INFO: initiate new phase 2 negotiation:
1.1.1.1[0]<=>2.2.2.2[0] 
Oct 12 09:59:04 racoon: INFO: purging ISAKMP-SA
spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
Oct 12 09:59:04 racoon: INFO: purged IPsec-SA spi=218714308. 
Oct 12 09:59:04 racoon: INFO: purged ISAKMP-SA
spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
Oct 12 09:59:04 racoon: ERROR: unknown Informational exchange received. 
Oct 12 09:59:05 racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500]
spi:4462e312bc98cfde:4bcb25fec10c5cb1


I've tried on m0n0wall config, both remote subnet = 172.31.0.0/21 and
172.31.0.1/24 and neither have worked so far.

Thanks,
Kyle McBride