[ previous ] [ next ] [ threads ]
 
 From:  Anon Coward <anonymous19680527 at yahoo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Cisco PIX and m0n0wall VPN tunnel timeout
 Date:  Mon, 12 Jul 2004 13:39:00 -0700 (PDT) 
Greetings M0n0wall community,

 

I am trying to establish a VPN tunnel between our m0n0wall box and Cisco PIX.  The endpoint host
behind the PIX has a static address and needs to communicate with several servers behind our
m0n0wall.  We plan on using this tunnel to authenticate to a Microsoft VPN.  This MS VPN server
functions properly, as we are able to connect and authenticate from several home users via m0n0wall
PPTP redirect.

 

So why not just use the redirect already in place?  Well, the PIX admin needs a higher level of
security and is blocking the TCP/UDP ports required to authenticate.  They agreed to allow a
predefined tunnel instead.

 

Seems simple enough.  In the m0n0wall VPN -> IPSec configuration section, I have added and entry
under "tunnels" as follows:

 

Interface:         WAN

Local Subnet:      LAN Subnet

Remote Subnet:     [static IP of PC behind PIX]  /32

Remote Gateway:    [Public IP address for the PIX]

 

Phase 1

 

Mode:              Aggressive

My ID:             "IP Address"  [m0n0wall public IP address]

Encryption:        3DES

Hash:              MD5

DH Key Group:      2   (1024 bit)

Lifetime:          28800 seconds

Pre-shared key:    [the password provided by PIX admin]  

 

Phase 2

 

Protocol:          ESP

Encryption:        3DES

Hash:              MD5 and SHA1

PFS:               off

Lifetime:          28800 seconds

 

So, in a nutshell:

 

Static IP PC  -----  PIX  -----  Internet  -----  m0n0wall  -----  LAN

 

Diagnostics:

 

PIX and M0n0wall ping each other on public IP addresses.  (With ICMP enabled in firewall rules).

 

Traceroute successful to PIX public IP from m0nowall side clients.

Traceroute timeout to static client behind PIX from m0n0wall side clients.

 

With the tunnel disabled on the m0n0wall, the trace/ping returns "host unreachable", so the m0n0wall
is choosing the proper path (the tunnel) to try and reach the host behind the PIX.

 

In the m0n0wall system log, one of the more telling errors is:

 

racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): phase1 negotiation failed due to time up.
5a88426ffe8b7851:0000000000000000

 

Where, what is assumed to be the key authentication, returns null (or does not respond) from the
PIX.

 

Configuration on the PIX side.  I don’t have the tunnel details, but I do know that a Cisco engineer
has confirmed that the active PIX OS level is 6.3.3 and GRE is open.

 

Has anyone completed a tunnel between m0n0wall (1.0) and Cisco PIX?

 

I’m fairly certain that the problem here is either compatibility (Cisco proprietary mumbo-jumbo) or
the PIX tunnel configuration.  If I resolve this issue with the Cisco Engineer, I will attempt to
extract the Cisco configuration and post a follow up.

 

Thanks.

- CRL

		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!