[ previous ] [ next ] [ threads ]
 
 From:  =?iso-8859-1?Q?Fredrik_=D6stergren_-_IT-Kontakt_AB?= <fredrik dot ostergren at itkontakt dot se>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  SV: [m0n0wall] Cisco 857 and m0n0wall IPSec
 Date:  Wed, 11 Apr 2007 11:33:03 +0200
Do you get any error or is it problem with traffic?

What does the logs say ?

Do you get incoming connection to / from the sites when he tries to
establish the tunnel ?

Best Regards

/ Fredrik

-----Ursprungligt meddelande-----

Skickat: den 11 april 2007 10:44
Till: m0n0wall at lists dot m0n0 dot ch


Hi all,

I've searched extensively but all I seem to find is discussion on Cisco
to Cisco or m0n0 to PIX IPSec documentation.

What I have is two locations which have previously been connected with a
m0n0 at each end which has worked great for 2 years now, but one end has
changed to a Cisco 857 instead of the m0n0wall.

Can someone help me with getting a site to site IPSec VPN running
between an 857 and m0n0wall?  This is probably more a configuration
problem on the Cisco since the m0n0 has worked fine previously - I'm
just not sure what is wrong and Cisco are being unhelpful because I'm
not trying to VPN between two Cisco devices.

Details:

Site 1 - Albany
Internal IP Range 192.168.1.0/24
Running m0n0wall with IPSec setup

Site 2 - Kumeu
Internal IP Range 192.168.3.0/24
Running Cisco 857 with fully operating ADSL/NAT that works fine


Here is the Cisco 857 config I've attempted but can't get working:

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key supersecret address ip.of.the.m0n0 no-xauth
!
crypto ipsec transform-set vpn-albany esp-3des esp-sha-hmac
!
crypto map cm-cryptomap 1 ipsec-isakmp
 set peer ip.of.the.m0n0
 set transform-set vpn-albany
 set pfs group2
 match address ALBANY-VPN
!
interface Dialer0
 crypto map cm-cryptomap
! (There is more to Dialer0 but I have edited it out as it is not
relevant)
!
ip access-list extended ALBANY-VPN
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip any any
ip access-list extended NO-NAT
 remark Traffic to NAT
 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
!

Thanks,

-Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch