On another interface I noticed that one of the destinations is
reachable, 172.31.0.1 so I did a tracert - looks like a host on my ISP's
network has this address. Will this cause the problems I'm having??
Tracing route to 172.31.0.1 over a maximum of 30 hops
1 8 ms 1 ms 2 ms rt3.instatservices.com [192.168.3.1]
2 26 ms 7 ms 11 ms 10.114.220.1
3 26 ms 7 ms 7 ms pwy1aggc01-gex0315.sd.sd.cox.net
[68.6.11.82]
4 24 ms 7 ms 9 ms elcnsysc01-gex0911.sd.sd.cox.net
[68.6.8.92]
5 * 441 ms * fed1dsrj02-get0500.rd.sd.cox.net [68.6.8.4]
6 28 ms 9 ms 13 ms fed1bbrc01-pos0203.rd.sd.cox.net
[68.1.0.200]
7 34 ms 11 ms 11 ms rsmtbbrj01-so000.rd.oc.cox.net [68.1.0.197]
8 12 ms 11 ms 11 ms rsmtdsrj01-so000.rd.oc.cox.net [68.1.0.185]
9 20 ms 11 ms 16 ms rsmtsysj01.rd.oc.cox.net [68.4.14.254]
10 13 ms 13 ms 15 ms irvnsysj01.oc.oc.cox.net [68.4.14.74]
11 20 ms 19 ms 17 ms ip68-4-14-54.oc.oc.cox.net [68.4.14.54]
12 32 ms 15 ms 13 ms ip68-4-14-210.oc.oc.cox.net [68.4.14.210]
13 45 ms 13 ms 14 ms 172.31.0.1
Kyle McBride wrote:
> Greetings,
>
> Need some assistance on m0n0wall to PIX IPSec issue. Cisco guy gave me the
> following as his setup, not a subnet specified in his ACL but 3 specific
> hosts. The 192.168.87.0/24 is my local subnet on m0n0wall side (below
> 1.1.1.1 is m0n0wall public IP and 2.2.2.2 is PIX public IP):
>
> access-list nonat extended permit ip host 172.31.0.1 192.168.87.0
> 255.255.255.0
> access-list nonat extended permit ip host 172.31.0.80 192.168.87.0
> 255.255.255.0
> access-list nonat extended permit ip host 172.31.1.90 192.168.87.0
> 255.255.255.0
>
> access-list 600 extended permit ip host 172.31.0.1 192.168.87.0
> 255.255.255.0
> access-list 600 extended permit ip host 172.31.0.80 192.168.87.0
> 255.255.255.0
> access-list 600 extended permit ip host 172.31.1.90 192.168.87.0
> 255.255.255.0
>
> tunnel-group 1.1.1.1 type ipsec-l2l
> tunnel-group 1.1.1.1 ipsec-attributes
> pre-shared-key **************
>
> crypto map newmap 600 match address 600
> crypto map newmap 600 set peer 1.1.1.1
> crypto map newmap 600 set transform-set ESP-3DES-MD5
>
>
> Here is the log from m0n0wall.
>
> Oct 12 09:59:03 racoon: INFO: IPsec-SA request for 216.118.82.254 queued due
> to no phase1 found.
> Oct 12 09:59:03 racoon: INFO: initiate new phase 1 negotiation:
> 1.1.1.1[500]<=>2.2.2.2[500]
> Oct 12 09:59:03 racoon: INFO: begin Aggressive mode.
> Oct 12 09:59:03 racoon: INFO: received Vendor ID: CISCO-UNITY
> Oct 12 09:59:03 racoon: INFO: received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt
> Oct 12 09:59:03 racoon: INFO: received Vendor ID: DPD Oct 12 09:59:03
> racoon: INFO: received broken Microsoft ID: FRAGMENTATION
> Oct 12 09:59:04 racoon: NOTIFY: couldn't find the proper pskey, try to get
> one by the peer's address.
> Oct 12 09:59:04 racoon: INFO: ISAKMP-SA established
> 1.1.1.1[500]-2.2.2.2[500] spi:4462e312bc98cfde:4bcb25fec10c5cb1
> Oct 12 09:59:04 racoon: INFO: initiate new phase 2 negotiation:
> 1.1.1.1[0]<=>2.2.2.2[0]
> Oct 12 09:59:04 racoon: INFO: purging ISAKMP-SA
> spi=4462e312bc98cfde:4bcb25fec10c5cb1.
> Oct 12 09:59:04 racoon: INFO: purged IPsec-SA spi=218714308.
> Oct 12 09:59:04 racoon: INFO: purged ISAKMP-SA
> spi=4462e312bc98cfde:4bcb25fec10c5cb1.
> Oct 12 09:59:04 racoon: ERROR: unknown Informational exchange received.
> Oct 12 09:59:05 racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500]
> spi:4462e312bc98cfde:4bcb25fec10c5cb1
>
>
> I've tried on m0n0wall config, both remote subnet = 172.31.0.0/21 and
> 172.31.0.1/24 and neither have worked so far.
>
> Thanks,
> Kyle McBride
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
| 