[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Michael A. Alderete" <alderete at haightlife dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall settings to allow IPSEC (without NAT)?
 Date:  Tue, 14 Nov 2006 23:18:53 +0100
On 14.11.06 13:58 -0800, Michael A. Alderete wrote:

> Hmmm. Are there settings that need to be configured on m0n0wall for
> this to work?

Nothing special on m0n0wall; it should work with default settings.
You might want to try it with a simple more-or-less default
configuration just to rule out any chance of a misconfiguration (I
didn't analyze your entire config.xml, but I noticed that there are
quite a few rules and interfaces in there ;).

> Or on the Cisco software, either end? (I've attached

Not as far as I know, but one thing comes to mind: somebody once
reported that the remote Cisco VPN concentrator they were trying to
connect to didn't like the fact that the port number of the packets
that their VPN client sent got translated to something else than the
default (probably 500 for IKE and 4500 or so for UDP/NAT-T
encapsulated ESP packets) by m0n0wall. Maybe that's the problem (the
Cisco VPN concentrators that I connect to don't mind) - m0n0wall will
always translate ports when doing "outbound NAT". Try giving your VPN
client a one-to-one mapped IP address to find out - there won't be
any port translation then.

- Manuel