Greetings M0n0wall community,
I am trying to establish a VPN tunnel between our m0n0wall box and Cisco PIX. The endpoint host
behind the PIX has a static address and needs to communicate with several servers behind our
m0n0wall. We plan on using this tunnel to authenticate to a Microsoft VPN. This MS VPN server
functions properly, as we are able to connect and authenticate from several home users via m0n0wall
So why not just use the redirect already in place? Well, the PIX admin needs a higher level of
security and is blocking the TCP/UDP ports required to authenticate. They agreed to allow a
predefined tunnel instead.
Seems simple enough. In the m0n0wall VPN -> IPSec configuration section, I have added and entry
under "tunnels" as follows:
Local Subnet: LAN Subnet
Remote Subnet: [static IP of PC behind PIX] /32
Remote Gateway: [Public IP address for the PIX]
My ID: "IP Address" [m0n0wall public IP address]
DH Key Group: 2 (1024 bit)
Lifetime: 28800 seconds
Pre-shared key: [the password provided by PIX admin]
Hash: MD5 and SHA1
Lifetime: 28800 seconds
So, in a nutshell:
Static IP PC ----- PIX ----- Internet ----- m0n0wall ----- LAN
PIX and M0n0wall ping each other on public IP addresses. (With ICMP enabled in firewall rules).
Traceroute successful to PIX public IP from m0nowall side clients.
Traceroute timeout to static client behind PIX from m0n0wall side clients.
With the tunnel disabled on the m0n0wall, the trace/ping returns "host unreachable", so the m0n0wall
is choosing the proper path (the tunnel) to try and reach the host behind the PIX.
In the m0n0wall system log, one of the more telling errors is:
racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): phase1 negotiation failed due to time up.
Where, what is assumed to be the key authentication, returns null (or does not respond) from the
Configuration on the PIX side. I donít have the tunnel details, but I do know that a Cisco engineer
has confirmed that the active PIX OS level is 6.3.3 and GRE is open.
Has anyone completed a tunnel between m0n0wall (1.0) and Cisco PIX?
Iím fairly certain that the problem here is either compatibility (Cisco proprietary mumbo-jumbo) or
the PIX tunnel configuration. If I resolve this issue with the Cisco Engineer, I will attempt to
extract the Cisco configuration and post a follow up.
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!