1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFSX41 VPN <=> RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by aries, Jan 18, 2006.

  1. aries

    aries Network Guru Member

    I am not able to establish a VPN tunnel between BEFSX41 and RV042. The log of BEFSX41 shows followings:
    00:00:03 IKE[1] Tx >> AG_I1 : 216.xxx.xxx.238 SA, KE, Nonce, ID
    00:00:07 IKE[1] Rx << AG_I1 : 216.xxx.xxx.238 SA, KE, NONCE, ID
    00:00:07 IKE[1] ISAKMP SA CKI=[40a35c4a 64920259] CKR=[ace8239e 1e77e92b]
    00:00:07 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
    00:00:07 IKE[1] Tx >> AG_R1 : 216.xxx.xxx.238 SA, KE, Nonce, ID, HASH
    00:00:08 IKE[1] Rx << AG_I1 : 216.xxx.xxx.238 SA, KE, NONCE, ID
    00:00:08 IKE[1] ISAKMP SA CKI=[7de21e16 6d5f8333] CKR=[d7f6f007 87363ee1]
    00:00:08 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
    00:00:08 IKE[1] Tx >> AG_R1 : 216.xxx.xxx.238 SA, KE, Nonce, ID, HASH

    BEFSX41 is on dynamic IP and the setting are as follows:
    Local Security Group: Sublet 192.168.1.0, 255.255.255.0
    Remote Security Group: Sublet 192.168.0.0, 255.255.255.0
    Remote Security Gateway: IP = 216.xxx.xxx.238
    Encrytion: DES
    Authenication: MDS
    Key Mangement: Auto(IKE)
    PFS Enabled
    Pre-shared Key: 1234567
    Key Lifetime: 28800 sec
    Aggressive Mode Enabled
    Keep Alive Enabled

    RV042 is on fixed IP and the setting are as follows:
    Local Security Gateway: IP = 216.xxx.xxx.238
    Local Security Group: Sublet 192.168.0.0, 255.255.255.0
    Remote Security Group: Sublet 192.168.1.0, 255.255.255.0
    Remote Security Gateway: IP + Domain Name FQDN
    IP by DNS Resolved: abc.dyndns.org
    Domain Name: abc.dyndns.org
    Keying Mode: IKE with Pre-shared key
    Phase 1 DH Group: Group 1
    Phase 1 Encrytion: DES
    Phase 1 Authenication: MDS
    Phase 1 SA Life Time: 28800 sec
    PFS Enabled
    Pre-shared Key: 1234567
    Phase 2 DH Group: Group 1
    Phase 2 Encrytion: DES
    Phase 2 Authenication: MDS
    Phase 2 SA Life Time: 3600 sec
    Aggressive Mode Enabled
    Keep Alive Enabled

    Appreciate if anyone can give me some ideas. Thanks.
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    It looks like the preshared keys and the encryption/authentication aren't binding (if I'm reading this right).

    Try setting them both for "main" mode instead of aggressive for starters. Also use a key like testvpnx1234 on both sides, to include using 3DES/SHA1 with a key lifetime of 3600 for starters. Lastly, you DH Group 2 (I use it as a standard).

    Doc

    P.S.,

    you might want to re-edit your post because you've got your business (IP address) out in the open... :)
     
  3. aries

    aries Network Guru Member

    Thanks DocLarge.

    Tried your suggestion and still no success. Wonder if anyone having the same problem of FQDN with RV042.
     

Share This Page