OK, I seem to be missing something here. I'm trying to set up an IPsec tunnel between a m0n0wall and a Cisco 871 router. The tunnel negotiates and comes up fine, except that I can't get traffic from one side to the other.
192.168.14.0/24 is the Cisco local LAN, 172.16.0.0/16 is the m0n0wall local LAN. I'm sure it's something silly, but I'm not a VPN guy, so I need some help here....Thanks!
Here's the m0n0wall config:
Mode Tunnel Interface WAN Local subnet Type LAN subnet Remote subnet 192.168.14.0/24 Remote gateway ==============
Phase 1 proposal Negotiation mode main
My identifier Domain name Encryption algorithm 3DES Hash algorithm MD5 DH key group 2
Lifetime 86400 seconds Authentication method Pre-shared key Pre-Shared Key ============== Certificate
Key
Peer certificate
Phase 2 proposal (SA/Key Exchange) Protocol ESP Encryption algorithms 3DES PFS key group 2 Lifetime 86400 seconds
And the appropriate Cisco config:
version 12.3 ip inspect name MYFW tcp ip inspect name MYFW udp crypto logging session ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key ========== address ============== ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set m0n0wall esp-3des esp-md5-hmac crypto ipsec df-bit clear ! crypto map VPN-Map-1 10 ipsec-isakmp set peer ============== set transform-set m0n0wall set pfs group2 match address Crypto-list ! interface FastEthernet4 ip address dhcp ip access-group Internet-inbound-ACL in ip inspect MYFW out ip nat outside ip virtual-reassembly ip tcp adjust-mss 1460 duplex auto speed auto no cdp enable crypto map VPN-Map-1 ! ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! ip access-list extended Crypto-list permit ip 192.168.14.0 0.0.0.255 172.16.0.0 0.0.255.255 permit ip 172.16.0.0 0.0.255.255 192.168.14.0 0.0.0.255 ip access-list extended Internet-inbound-ACL remark SDM_ACL Category=17 permit ip 192.168.14.0 0.0.0.255 172.16.0.0 0.0.255.255 permit ip 172.16.0.0 0.0.255.255 192.168.14.0 0.0.0.255 permit udp host 70.241.192.118 any eq non500-isakmp permit ahp host 70.241.192.118 any remark Auto generated by SDM for NTP (123) 207.188.193.108 permit udp host 207.188.193.108 eq ntp any eq ntp permit udp any eq bootps any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit gre any any permit esp any any permit udp host ============== any eq isakmp permit esp host ============== any ! access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq 22 access-list 100 permit tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq 443 access-list 100 permit tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq cmd access-list 100 deny tcp any host 192.168.14.1 eq telnet access-list 100 deny tcp any host 192.168.14.1 eq 22 access-list 100 deny tcp any host 192.168.14.1 eq www access-list 100 deny tcp any host 192.168.14.1 eq 443 access-list 100 deny tcp any host 192.168.14.1 eq cmd access-list 100 deny udp any host 192.168.14.1 eq snmp access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip 192.168.14.0 0.0.0.255 any access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip 172.16.0.0 0.0.255.255 192.168.14.0 0.0.0.255 access-list 102 deny ip 192.168.14.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 102 permit ip 192.168.13.0 0.0.0.255 any access-list 102 permit ip 192.168.14.0 0.0.0.255 any route-map SDM_RMAP_1 permit 1 match ip address 102
|