Re: [m0n0wall] Cisco 857 and m0n0wall IPSec

From:	krt <kkrrtt at gmail dot com>
To:	m0n0wall <m0n0wall at lists dot m0n0 dot ch>, scott at pettit dot co dot nz
Subject:	Re: [m0n0wall] Cisco 857 and m0n0wall IPSec
Date:	Fri, 13 Apr 2007 15:55:15 -0700
Guessing the problem:

The Kumeu side needs to route the packets for 192.168.1.0/24 out the 
interface that your crypto map is applied to, i.e. Dialer0:

ip route 192.168.1.0 255.255.255.0 dialer0




Nit picking:

The encryption domains don't need to be like that - they only apply for 
outbound traffic.  In other words:

ip access-list extended ALBANY-VPN
  permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  deny   ip any any

basically:

"permit <protocol> <local network> <remote network>"






Awareness:

The mtu on Dialer0 should be around 1420




Scott Pettit wrote:
> Hi all,
> 
> I've searched extensively but all I seem to find is discussion on Cisco
> to Cisco or m0n0 to PIX IPSec documentation.
> 
> What I have is two locations which have previously been connected with a
> m0n0 at each end which has worked great for 2 years now, but one end has
> changed to a Cisco 857 instead of the m0n0wall.
> 
> Can someone help me with getting a site to site IPSec VPN running
> between an 857 and m0n0wall?  This is probably more a configuration
> problem on the Cisco since the m0n0 has worked fine previously - I'm
> just not sure what is wrong and Cisco are being unhelpful because I'm
> not trying to VPN between two Cisco devices.
> 
> Details:
> 
> Site 1 - Albany
> Internal IP Range 192.168.1.0/24
> Running m0n0wall with IPSec setup
> 
> Site 2 - Kumeu
> Internal IP Range 192.168.3.0/24
> Running Cisco 857 with fully operating ADSL/NAT that works fine
> 
> 
> Here is the Cisco 857 config I've attempted but can't get working:
> 
> !
> crypto isakmp policy 10
>  encr 3des
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key supersecret address ip.of.the.m0n0 no-xauth
> !
> crypto ipsec transform-set vpn-albany esp-3des esp-sha-hmac
> !
> crypto map cm-cryptomap 1 ipsec-isakmp
>  set peer ip.of.the.m0n0
>  set transform-set vpn-albany
>  set pfs group2
>  match address ALBANY-VPN
> !
> interface Dialer0
>  crypto map cm-cryptomap
> ! (There is more to Dialer0 but I have edited it out as it is not
> relevant)
> !
> ip access-list extended ALBANY-VPN
>  permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>  permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>  deny   ip any any
> ip access-list extended NO-NAT
>  remark Traffic to NAT
>  deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>  permit ip 192.168.3.0 0.0.0.255 any
> !
> 
> Thanks,
> 
> -Scott
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>