[ previous ] [ next ] [ threads ]
 
 From:  "Scott Pettit" <scott at pettit dot co dot nz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Cisco 857 and m0n0wall IPSec
 Date:  Wed, 11 Apr 2007 04:44:28 -0400
Hi all,

I've searched extensively but all I seem to find is discussion on Cisco
to Cisco or m0n0 to PIX IPSec documentation.

What I have is two locations which have previously been connected with a
m0n0 at each end which has worked great for 2 years now, but one end has
changed to a Cisco 857 instead of the m0n0wall.

Can someone help me with getting a site to site IPSec VPN running
between an 857 and m0n0wall?  This is probably more a configuration
problem on the Cisco since the m0n0 has worked fine previously - I'm
just not sure what is wrong and Cisco are being unhelpful because I'm
not trying to VPN between two Cisco devices.

Details:

Site 1 - Albany
Internal IP Range 192.168.1.0/24
Running m0n0wall with IPSec setup

Site 2 - Kumeu
Internal IP Range 192.168.3.0/24
Running Cisco 857 with fully operating ADSL/NAT that works fine


Here is the Cisco 857 config I've attempted but can't get working:

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key supersecret address ip.of.the.m0n0 no-xauth
!
crypto ipsec transform-set vpn-albany esp-3des esp-sha-hmac
!
crypto map cm-cryptomap 1 ipsec-isakmp
 set peer ip.of.the.m0n0
 set transform-set vpn-albany
 set pfs group2
 match address ALBANY-VPN
!
interface Dialer0
 crypto map cm-cryptomap
! (There is more to Dialer0 but I have edited it out as it is not
relevant)
!
ip access-list extended ALBANY-VPN
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip any any
ip access-list extended NO-NAT
 remark Traffic to NAT
 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
!

Thanks,

-Scott