News: This forum is now permanently frozen.
Pages: [1]
Topic: IPsec: m0n0wall to Cisco 871  (Read 2057 times)
« on: October 03, 2007, 18:27:46 »
jjkrueger *
Posts: 1

OK, I seem to be missing something here.  I'm trying to set up an IPsec tunnel between a m0n0wall and a Cisco 871 router.  The tunnel negotiates and comes up fine, except that I can't get traffic from one side to the other.

192.168.14.0/24 is the Cisco local LAN, 172.16.0.0/16 is the m0n0wall local LAN.  I'm sure it's something silly, but I'm not a VPN guy, so I need some help here....Thanks!

Here's the m0n0wall config:

Mode
   Tunnel
Interface 
   WAN
Local subnet Type
   LAN subnet
Remote subnet 
   192.168.14.0/24
Remote gateway 
   ==============

Phase 1 proposal
Negotiation mode
   main

My identifier
   Domain name
Encryption algorithm
   3DES
Hash algorithm
   MD5
DH key group 
   2

Lifetime
   86400 seconds
Authentication method 
   Pre-shared key
Pre-Shared Key
   ==============
Certificate 

Key 

Peer certificate 

 
Phase 2 proposal (SA/Key Exchange)
Protocol
   ESP
Encryption algorithms
   3DES
PFS key group 
   2
Lifetime
   86400 seconds


And the appropriate Cisco config:

version 12.3
ip inspect name MYFW tcp
ip inspect name MYFW udp
crypto logging session
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ========== address ==============
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set m0n0wall esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map VPN-Map-1 10 ipsec-isakmp
 set peer ==============
 set transform-set m0n0wall
 set pfs group2
 match address Crypto-list
!
interface FastEthernet4
 ip address dhcp
 ip access-group Internet-inbound-ACL in
 ip inspect MYFW out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
 crypto map VPN-Map-1
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended Crypto-list
 permit ip 192.168.14.0 0.0.0.255 172.16.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 192.168.14.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
 remark SDM_ACL Category=17
 permit ip 192.168.14.0 0.0.0.255 172.16.0.0 0.0.255.255
 permit ip 172.16.0.0 0.0.255.255 192.168.14.0 0.0.0.255
 permit udp host 70.241.192.118 any eq non500-isakmp
 permit ahp host 70.241.192.118 any
 remark Auto generated by SDM for NTP (123) 207.188.193.108
 permit udp host 207.188.193.108 eq ntp any eq ntp
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
 permit udp host ============== any eq isakmp
 permit esp host ============== any
!
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq 22
access-list 100 permit tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq 443
access-list 100 permit tcp 192.168.14.0 0.0.0.255 host 192.168.14.1 eq cmd
access-list 100 deny   tcp any host 192.168.14.1 eq telnet
access-list 100 deny   tcp any host 192.168.14.1 eq 22
access-list 100 deny   tcp any host 192.168.14.1 eq www
access-list 100 deny   tcp any host 192.168.14.1 eq 443
access-list 100 deny   tcp any host 192.168.14.1 eq cmd
access-list 100 deny   udp any host 192.168.14.1 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.14.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 172.16.0.0 0.0.255.255 192.168.14.0 0.0.0.255
access-list 102 deny   ip 192.168.14.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any
access-list 102 permit ip 192.168.14.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
 match ip address 102
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines