[ previous ] [ next ] [ threads ]
 From:  "Jonathan Simpson" <jsimpson at theatsgroup dot com>
 To:  "'Philippe Lang'" <philippe dot lang at attiksystem dot ch>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] ipsec, sonicwall to m0n0wall.
 Date:  Tue, 6 Feb 2007 08:52:47 -0500
Excuse my ignorance here, but is Enable Perfect Forward Secrecy, the ESP
setting on phase 2? If so, I want to choose AH, correct?

Otherwise those match my current settings. I'm going to try to get a webex
session or similar to eyeball the other end.

Jonathan D. Simpson
Advanced Technology Services Group
Cell 484-467-9965
Office 484-320-4302

-----Original Message-----
From: Philippe Lang [mailto:philippe dot lang at attiksystem dot ch] 
Sent: Tuesday, February 06, 2007 8:39 AM
To: Jonathan Simpson; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] ipsec, sonicwall to m0n0wall.

Jonathan Simpson wrote:
> I've been struggling with this for days.  I'm trying to establish a
> connection between us and one of our business partners, we have a
> m0n0wall at our end and they have a sonicwall. We are both using main
> mode, all other settings have been checked over to match a dozen
> times, identifier is IP. The only error I see in my logs (there are
> lots of debugs) is racoon: ERROR:    
> not acceptable Identity Protection mode.
> I've googled this error a dozen times over and all I can find is a
> reference to doing this on a netgear and aggressive/main not
> matching.  This shouldn't be an issue there. The guy on the remote
> side claims the connection is timing out.   
> Sorry for the long winded question, I really don't have that much
> ipsec knowledge.  I appreciate any help. 
> Jonathan


I'm personnally using the following configuration, with a sonicwall and
a monowall, and it works. You might give it a try:

Phase 1:
Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: MD5

Phase 2:
Encryption: 3DES
Authentication: MD5
Enable Perfect Forward Secrecy disabled

This is certainly not the best secure VPN tunnel ever, but sufficient in
our case.

I'm using monowall 1.22 and SonicOS Enhanced

Hope this helps.


Philippe Lang

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch