[ previous ] [ next ] [ threads ]
 
 From:  James McKeand <james at mckeand dot biz>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: m0n0wall to Cisco ASA 5505 IPSec VPN
 Date:  Wed, 19 Jan 2011 12:13:37 -0600 
Here is what I have tried without success:
1) Assigned 10.1.2.<snip>/32 as a secondary IP on LAN interface
2) Setup Tunnel per far end's parameters. (does not come up - no SAs)
3) Enabled Advanced Outbound NAT with the following rules:
	Interface:  WAN
	Source:  192.168.100.0/24 (LAN subnet)
	Destination: any
	Target: (blank)
	Portmap:  Disable port mapping not checked
	Description: CFC -> any

	Interface:  WAN
	Source:  172.16.100.0/24 (OPT subnet)
	Destination: any
	Target: (blank)
	Portmap:  Disable port mapping not checked
	Description: OPT -> any

	Interface:  WAN
	Source:  192.168.100.x/32 (Server Address)
	Destination: 192.<snip>/24 (Remote Subnet)
	Target: 10.1.2.<snip>
	Portmap:  Disable port mapping IS checked
	Description: CFC -> <remote company>

Any ideas?

_________________________________ 
James W. McKeand 

-----Original Message-----
From: James McKeand [mailto:james at mckeand dot biz] 
Sent: Monday, January 17, 2011 5:04 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] m0n0wall to Cisco ASA 5505 IPSec VPN

I am trying to setup a VPN from a site with a 1.3 m0n0wall on a Soekris 4801 to a site with a Cisco
ASA 5505. I have no control over the Cisco.

I have been supplied the following parameters by the other end:
Remote Peer IP: 66.<snip>
Remote Network: 192.<snip>/24 (255.255.255.0)
Your Local Network: 10.1.2.<snip>/32 (255.255.255.255)

Phase 1
Negotiation Mode: Main
Authentication: Pre-Shared
Encryption: 3DES
Hash: SHA
DH: 1
Lifetime: 86400 sec
Pre-shared Key: <snip>

Phase2
ESP encryption: 3DES
ESP authentication: SHA
Lifetime: 28800
PFS: Disabled

The instructions from other end state that I  will need to make an IPSec ACL from 10.1.2.<snip>/32
to remote network 192.<snip>/24 and I will need to NAT interesting traffic to 10.1.2.<snip>/32
(255.255.255.255).

My problem is that 10.1.2.<snip>/32 does not exist on my network. Our local subnet is
192.168.100.0/24. It sounds like I need to make traffic coming from our server (192.168.100.x)
destined for their subnet (192.something not 168.100.0/24) look like it is coming from
10.1.2.<snip>/32. I would guess that Advanced Outbound NAT is what is needed. But I cannot get the
tunnel up with a local endpoint of 10.1.2.<snip>/32

I am quite sure that if I had an ASA I could do this (if I knew what I was doing on an ASA). Can
this be done on a m0n0wall? If not m0n0wall can pfsense do this?

_________________________________
James W. McKeand