[ previous ] [ next ] [ threads ]
 
 From:  "Wilfred E. Savery" <wilfred dot savery at innovadotnet dot com>
 To:  <kyle dot mcbride at instatservices dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0wall-to-PIX IPsec Issue: specific host(s) as remote subnet?
 Date:  Thu, 12 Oct 2006 09:14:31 -0600
I had a similar prob.
MONO <--> PIX. (lan to lan)
Initially my lan was 192.168.X.X and my partner site or were I was
connecting had the same 172,16.X.X was After one week of trial and error I
found out that on the beside the 172.16.X.X there was a 192.X.X.X
So after changing my network address to 20.10.1.X. connecting was no problem

1. check to see is there is no similar network behind each other WALL

And make sure you follow the manual that is on the m0n0wall site for setting
up site to site (mono - pix) it's very good and it work for me.

Best regards



-----Original Message-----
From: Kyle McBride [mailto:kyle dot mcbride at instatservices dot com] 
Sent: Jueves, 12 de Octubre de 2006 08:50 a.m.
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] m0n0wall-to-PIX IPsec Issue: specific host(s) as remote
subnet?

Greetings,

Need some assistance on m0n0wall to PIX IPSec issue. Cisco guy gave me the
following as his setup, not a subnet specified in his ACL but 3 specific
hosts. The 192.168.87.0/24 is my local subnet on m0n0wall side (below
1.1.1.1 is m0n0wall public IP and 2.2.2.2 is PIX public IP):

access-list nonat extended permit ip host 172.31.0.1 192.168.87.0
255.255.255.0
access-list nonat extended permit ip host 172.31.0.80 192.168.87.0
255.255.255.0
access-list nonat extended permit ip host 172.31.1.90 192.168.87.0
255.255.255.0

access-list 600 extended permit ip host 172.31.0.1 192.168.87.0
255.255.255.0
access-list 600 extended permit ip host 172.31.0.80 192.168.87.0
255.255.255.0
access-list 600 extended permit ip host 172.31.1.90 192.168.87.0
255.255.255.0

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key **************

crypto map newmap 600 match address 600
crypto map newmap 600 set peer 1.1.1.1
crypto map newmap 600 set transform-set ESP-3DES-MD5


Here is the log from m0n0wall.

Oct 12 09:59:03 racoon: INFO: IPsec-SA request for 216.118.82.254 queued due
to no phase1 found. 
Oct 12 09:59:03 racoon: INFO: initiate new phase 1 negotiation:
1.1.1.1[500]<=>2.2.2.2[500] 
Oct 12 09:59:03 racoon: INFO: begin Aggressive mode. 
Oct 12 09:59:03 racoon: INFO: received Vendor ID: CISCO-UNITY 
Oct 12 09:59:03 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt 
Oct 12 09:59:03 racoon: INFO: received Vendor ID: DPD Oct 12 09:59:03
racoon: INFO: received broken Microsoft ID: FRAGMENTATION 
Oct 12 09:59:04 racoon: NOTIFY: couldn't find the proper pskey, try to get
one by the peer's address. 
Oct 12 09:59:04 racoon: INFO: ISAKMP-SA established
1.1.1.1[500]-2.2.2.2[500] spi:4462e312bc98cfde:4bcb25fec10c5cb1 
Oct 12 09:59:04 racoon: INFO: initiate new phase 2 negotiation:
1.1.1.1[0]<=>2.2.2.2[0] 
Oct 12 09:59:04 racoon: INFO: purging ISAKMP-SA
spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
Oct 12 09:59:04 racoon: INFO: purged IPsec-SA spi=218714308. 
Oct 12 09:59:04 racoon: INFO: purged ISAKMP-SA
spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
Oct 12 09:59:04 racoon: ERROR: unknown Informational exchange received. 
Oct 12 09:59:05 racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500]
spi:4462e312bc98cfde:4bcb25fec10c5cb1


I've tried on m0n0wall config, both remote subnet = 172.31.0.0/21 and
172.31.0.1/24 and neither have worked so far.

Thanks,
Kyle McBride


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch