M0n0wall WTF. You are too awesome.

[badass]

I had an IPSEC tunnel set up between 2 Draytek 2820's - one was mine and supplied by work and the other is to my parents house.
It worked well for ages.
I've left that old job so had to hand back the router and have signed up with Virgin media's 30 Mbit service.
The superhub is a piece of junk unsurprisingly designed for people that don't do computers.
So I set up a VM on my HP microserver with the M0n0wall VM image.
I am not using the Superhub in bridge mode so I have a slightly odd setup where the superhub has an internal IP address in one private range and the rest of the network connects via the m0n0wall lan port. The m0n0wall WAN IP address is specified as the DMZ host.

So I go to setup a NAT-T IPSEC tunnel using AES/SHA1 between the Draytek and m0n0wall.

These things never go smoothly when you are setting up tunnels between different vendors kit..

So, how many attempts did it take?









One

I quite loudly said WHAT? when I saw the connection come up. I didn't believe it could work but sure enough I'm accessing resources both ways.


Well done m0n0wall.

I'm putting you next to Veeam in my "extremely rare properly made pieces of software" place.

[badass]

I spoke too soon.
Tunnels initiated from m0n0wall fail at phase 1 negotiation. They only work initiated from the Draytek. I cannot specify the details in the Draytek settings for the dial in. Oh well. It's just another story of stuff that should work together but requires endless hours of ****ing around to get it working. Yay!

[spoon_]

I'm in the same boat as you mate, have three ZyXeL 5s deployed between my parents house, friend of mine and myself but now got ASA 5505 to replace on of the devices. Phase 1 fails big time and I have been sitting on it for quite some time... Oh well as you said!

[Moby-Dick]

oh the joys of VPN tunneling - takes me back a while.
dont suppose there is resource at your folks to set up another VM to host a m0n0wall endpoint ?

have you had a look at untangle ?

Veeam doesn't do VPn appliances, but if we did , they'd be simple to use and nice and reliable

[watercooled]

After a while of messing about with the traditional VPN protocols, I ended up switching to OpenVPN. No, it isn't supported by m0n0wall or a large number of devices but if it's far superior if you can use it IMO, I just need to have a server running on the LAN + forward ports through m0n0.

[spoon_]

I just need to have a server running on the LAN + forward ports through m0n0.

...but what's the point of terminating VPN traffic on your LAN?

[watercooled]

When I'm outside of the LAN maybe?

[badass]

It seems to be working for the past 30 ish hours now. Can't remember what I did but it may have had something to do with mismatched key lifetimes.