[ previous ] [ next ] [ threads ]
 
 From:  Kyle McBride <kyle dot mcbride at instatservices dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall-to-PIX IPsec Issue: specific host(s) as remote subnet?
 Date:  Thu, 12 Oct 2006 13:39:13 -0700
On another interface I noticed that one of the destinations is 
reachable, 172.31.0.1 so I did a tracert - looks like a host on my ISP's 
network has this address.  Will this cause the problems I'm having??

Tracing route to 172.31.0.1 over a maximum of 30 hops

   1     8 ms     1 ms     2 ms  rt3.instatservices.com [192.168.3.1]
   2    26 ms     7 ms    11 ms  10.114.220.1
   3    26 ms     7 ms     7 ms  pwy1aggc01-gex0315.sd.sd.cox.net 
[68.6.11.82]
   4    24 ms     7 ms     9 ms  elcnsysc01-gex0911.sd.sd.cox.net 
[68.6.8.92]
   5     *      441 ms     *     fed1dsrj02-get0500.rd.sd.cox.net [68.6.8.4]
   6    28 ms     9 ms    13 ms  fed1bbrc01-pos0203.rd.sd.cox.net 
[68.1.0.200]
   7    34 ms    11 ms    11 ms  rsmtbbrj01-so000.rd.oc.cox.net [68.1.0.197]
   8    12 ms    11 ms    11 ms  rsmtdsrj01-so000.rd.oc.cox.net [68.1.0.185]
   9    20 ms    11 ms    16 ms  rsmtsysj01.rd.oc.cox.net [68.4.14.254]
  10    13 ms    13 ms    15 ms  irvnsysj01.oc.oc.cox.net [68.4.14.74]
  11    20 ms    19 ms    17 ms  ip68-4-14-54.oc.oc.cox.net [68.4.14.54]
  12    32 ms    15 ms    13 ms  ip68-4-14-210.oc.oc.cox.net [68.4.14.210]
  13    45 ms    13 ms    14 ms  172.31.0.1

Kyle McBride wrote:
> Greetings,
> 
> Need some assistance on m0n0wall to PIX IPSec issue. Cisco guy gave me the
> following as his setup, not a subnet specified in his ACL but 3 specific
> hosts. The 192.168.87.0/24 is my local subnet on m0n0wall side (below
> 1.1.1.1 is m0n0wall public IP and 2.2.2.2 is PIX public IP):
> 
> access-list nonat extended permit ip host 172.31.0.1 192.168.87.0
> 255.255.255.0
> access-list nonat extended permit ip host 172.31.0.80 192.168.87.0
> 255.255.255.0
> access-list nonat extended permit ip host 172.31.1.90 192.168.87.0
> 255.255.255.0
> 
> access-list 600 extended permit ip host 172.31.0.1 192.168.87.0
> 255.255.255.0
> access-list 600 extended permit ip host 172.31.0.80 192.168.87.0
> 255.255.255.0
> access-list 600 extended permit ip host 172.31.1.90 192.168.87.0
> 255.255.255.0
> 
> tunnel-group 1.1.1.1 type ipsec-l2l
> tunnel-group 1.1.1.1 ipsec-attributes
>  pre-shared-key **************
> 
> crypto map newmap 600 match address 600
> crypto map newmap 600 set peer 1.1.1.1
> crypto map newmap 600 set transform-set ESP-3DES-MD5
> 
> 
> Here is the log from m0n0wall.
> 
> Oct 12 09:59:03 racoon: INFO: IPsec-SA request for 216.118.82.254 queued due
> to no phase1 found. 
> Oct 12 09:59:03 racoon: INFO: initiate new phase 1 negotiation:
> 1.1.1.1[500]<=>2.2.2.2[500] 
> Oct 12 09:59:03 racoon: INFO: begin Aggressive mode. 
> Oct 12 09:59:03 racoon: INFO: received Vendor ID: CISCO-UNITY 
> Oct 12 09:59:03 racoon: INFO: received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt 
> Oct 12 09:59:03 racoon: INFO: received Vendor ID: DPD Oct 12 09:59:03
> racoon: INFO: received broken Microsoft ID: FRAGMENTATION 
> Oct 12 09:59:04 racoon: NOTIFY: couldn't find the proper pskey, try to get
> one by the peer's address. 
> Oct 12 09:59:04 racoon: INFO: ISAKMP-SA established
> 1.1.1.1[500]-2.2.2.2[500] spi:4462e312bc98cfde:4bcb25fec10c5cb1 
> Oct 12 09:59:04 racoon: INFO: initiate new phase 2 negotiation:
> 1.1.1.1[0]<=>2.2.2.2[0] 
> Oct 12 09:59:04 racoon: INFO: purging ISAKMP-SA
> spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
> Oct 12 09:59:04 racoon: INFO: purged IPsec-SA spi=218714308. 
> Oct 12 09:59:04 racoon: INFO: purged ISAKMP-SA
> spi=4462e312bc98cfde:4bcb25fec10c5cb1. 
> Oct 12 09:59:04 racoon: ERROR: unknown Informational exchange received. 
> Oct 12 09:59:05 racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500]
> spi:4462e312bc98cfde:4bcb25fec10c5cb1
> 
> 
> I've tried on m0n0wall config, both remote subnet = 172.31.0.0/21 and
> 172.31.0.1/24 and neither have worked so far.
> 
> Thanks,
> Kyle McBride
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>