RE: [m0n0wall] ipsec, sonicwall to m0n0wall.

From:	"Richard Parvass" <Richard dot Parvass at aaland dot co dot uk>
To:	<m0n0wall at lists dot m0n0 dot ch>
Cc:	"Jonathan Simpson" <jsimpson at theatsgroup dot com>
Subject:	RE: [m0n0wall] ipsec, sonicwall to m0n0wall.
Date:	Tue, 6 Feb 2007 18:22:36 -0000

The ESP/AH option is basically Encrypt/NoEncrypt. You want ESP. Your
settings appear fine except for this.

Here's my configuration for a m0n0 to TZ170 if it's of any help. The PFS
key group on the m0n0wall is the same as the Enable Perfect Forward
Secrecy and its associated DH Group combined on the Sonicwall.

On your m0n0wall, try the following settings (asterisks mean interpret
this for your system):
Local Subnet: LAN Subnet
Remote Subnet: *LAN subnet at Sonicwall site*
Remote Gateway: *Public (internet) address of Sonicwall*
P1 Negotiation: main
My Identifier: My IP Address
Encryption: 3DES
Hash: SHA1
DH key: 2
Lifetime: 28800
Authentication method: Pre-shared key
Pre-shared Key: *A Password that's complex*
P2 Protocol: ESP
Encryption: 3DES
Hash: SHA1
PFS: off
Lifetime: 3600

On the Sonicwall:
Ipsec keying: IKE using Preshared key
Ipsec primary gateway: *Public address of m0n0wall (WAN address)*
Ipsec secondary gateway: 0.0.0.0
Shared Secret: *Same password as Pre-shared Key on m0n0wall*
Specify destination networks: *Set this*
Network: *Network address of m0n0wall LAN subnet*
Subnet Mask: *Subnet mask of m0n0wall LAN subnet*
IKE Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800
Ipsec Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Enable Perfect Forward Secrecy: *untick*
Life Time: 3600

On the Advanced tab, untick everything and select VPN Terminated At:
LAN.


Works for me ;)

Richard


-----Original Message-----
From: Jonathan Simpson [mailto:jsimpson at theatsgroup dot com] 
Sent: Tuesday, February 06, 2007 1:53 PM
To: 'Philippe Lang'; m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] ipsec, sonicwall to m0n0wall.

Excuse my ignorance here, but is Enable Perfect Forward Secrecy, the ESP
setting on phase 2? If so, I want to choose AH, correct?

Otherwise those match my current settings. I'm going to try to get a
webex
session or similar to eyeball the other end.

Jonathan D. Simpson
Advanced Technology Services Group
Cell 484-467-9965
Office 484-320-4302

The information in this e-mail and any files transmitted with it is confidential
and may be legally privileged. It is intended solely for the addressee and
others authorised to receive it. If you are not the intended recipient, any
disclosure, copying, distribution or action taken in reliance on its contents
is prohibited and may be unlawful.

The opinions expressed in this message are that of the sender and not
necessarily those of Aaland Limited. If you have received this e-mail in
error please notify postmaster at aaland dot co dot uk