[ previous ] [ next ] [ threads ]
 
 From:  Kyle McBride <kyle dot mcbride at instatservices dot com>
 To:  "Wilfred E. Savery" <wilfred dot savery at innovadotnet dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall-to-PIX IPsec Issue: specific host(s) as remote subnet?
 Date:  Thu, 12 Oct 2006 08:26:13 -0700
Wilfred E. Savery wrote:
> I had a similar prob.
> MONO <--> PIX. (lan to lan)
> Initially my lan was 192.168.X.X and my partner site or were I was
> connecting had the same 172,16.X.X was After one week of trial and error I
> found out that on the beside the 172.16.X.X there was a 192.X.X.X
> So after changing my network address to 20.10.1.X. connecting was no problem
> 
> 1. check to see is there is no similar network behind each other WALL

We made sure of this at the start, partner site does not have any 
internal 192.x.x.x addresses but has several tunnels configured with 
others in 192.168.x.x range. But they told me that 192.168.87.x was 
available to use.
> 
> And make sure you follow the manual that is on the m0n0wall site for setting
> up site to site (mono - pix) it's very good and it work for me.

The manual is clear on network to network, but the question here deals 
with the partner's ACL that has three specific hosts in it rather than a 
subnet.  Does this introduce a problem?
> 
> Best regards
> 
> 
> 
> -----Original Message-----
> From: Kyle McBride [mailto:kyle dot mcbride at instatservices dot com] 
> Sent: Jueves, 12 de Octubre de 2006 08:50 a.m.
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] m0n0wall-to-PIX IPsec Issue: specific host(s) as remote
> subnet?
> 
> Greetings,
> 
> Need some assistance on m0n0wall to PIX IPSec issue. Cisco guy gave me the
> following as his setup, not a subnet specified in his ACL but 3 specific
> hosts. The 192.168.87.0/24 is my local subnet on m0n0wall side (below
> 1.1.1.1 is m0n0wall public IP and 2.2.2.2 is PIX public IP):
> 
> access-list nonat extended permit ip host 172.31.0.1 192.168.87.0
> 255.255.255.0
> access-list nonat extended permit ip host 172.31.0.80 192.168.87.0
> 255.255.255.0
> access-list nonat extended permit ip host 172.31.1.90 192.168.87.0
> 255.255.255.0
> 
> access-list 600 extended permit ip host 172.31.0.1 192.168.87.0
> 255.255.255.0
> access-list 600 extended permit ip host 172.31.0.80 192.168.87.0
> 255.255.255.0
> access-list 600 extended permit ip host 172.31.1.90 192.168.87.0
> 255.255.255.0
> 
> tunnel-group 1.1.1.1 type ipsec-l2l
> tunnel-group 1.1.1.1 ipsec-attributes
>  pre-shared-key **************
> 
> crypto map newmap 600 match address 600
> crypto map newmap 600 set peer 1.1.1.1
> crypto map newmap 600 set transform-set ESP-3DES-MD5
> 
> 
> Here is the log from m0n0wall.
> 
> Oct 12 09:59:03 racoon: INFO: IPsec-SA request for 216.118.82.254 queued due
> to no phase1 found. 
> Oct 12 09:59:03 racoon: INFO: initiate new phase 1 negotiation:
> 1.1.1.1[500]<=>2.2.2.2[500] 
> Oct 12 09:59:03 racoon: INFO: begin Aggressive mode. 
> Oct 12 09:59:03 racoon: INFO: received Vendor ID: CISCO-UNITY 
> Oct 12 09:59:03 racoon: INFO: received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt 
> Oct 12 09:59:03 racoon: INFO: received Vendor ID: DPD Oct 12 09:59:03
> racoon: INFO: received broken Microsoft ID: FRAGMENTATION 
> Oct 12 09:59:04 racoon: NOTIFY: couldn't find the proper pskey, try to get
> one by the peer's address. 
> Oct 12 09:59:04 racoon: INFO: ISAKMP-SA established
> 1.1.1.1[500]-2.2.2.2[500] spi:4462e312bc98cfde:4bcb25fec10c5cb1 
> Oct 12 09:59:04 racoon: INFO: initiate new phase 2 negotiation:
> 1.1.1.1[0]<=>2.2.2.2[0] 
> Oct 12 09:59:04 racoon: INFO: purging ISAKMP-SA
> spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
> Oct 12 09:59:04 racoon: INFO: purged IPsec-SA spi=218714308. 
> Oct 12 09:59:04 racoon: INFO: purged ISAKMP-SA
> spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
> Oct 12 09:59:04 racoon: ERROR: unknown Informational exchange received. 
> Oct 12 09:59:05 racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500]
> spi:4462e312bc98cfde:4bcb25fec10c5cb1
> 
> 
> I've tried on m0n0wall config, both remote subnet = 172.31.0.0/21 and
> 172.31.0.1/24 and neither have worked so far.
> 
> Thanks,
> Kyle McBride
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 
>