1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPSec Tunnel between WRV200 and WRV54G

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Frosty99, Nov 7, 2006.

  1. Frosty99

    Frosty99 Network Guru Member

    I am trying to create an IPSEC tunnel between these two devices, and I keep getting this in the WRV200 log:

    000 Plutorun started on Fri Oct 20 20:37:52 EST 2006
    001 [Fri 20:37:53] Starting Pluto (Openswan Version 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEr\134[u@aflB_)
    002 [Fri 20:37:53] Setting NAT-Traversal port-4500 floating to off
    003 [Fri 20:37:53] port floating activation criteria nat_t=0/port_fload=1
    004 [Fri 20:37:53] including NAT-Traversal patch (Version 0.6c) [disabled]
    005 [Fri 20:37:53] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    006 [Fri 20:37:53] starting up 1 cryptographic helpers
    007 [Fri 20:37:53] started helper pid=5245 (fd:4)
    008 [Fri 20:37:53] Using KLIPS IPsec interface code on 2.4.26-uc0
    009 [Fri 20:37:54] Changing to directory '/etc/ipsec.d/cacerts'
    010 [Fri 20:37:54] Changing to directory '/etc/ipsec.d/aacerts'
    011 [Fri 20:37:54] Changing to directory '/etc/ipsec.d/ocspcerts'
    012 [Fri 20:37:54] Changing to directory '/etc/ipsec.d/crls'
    013 [Fri 20:37:54] Warning: empty directory
    014 [Fri 20:38:08] listening for IKE messages
    015 [Fri 20:38:08] adding interface ipsec0/eth0 <my IP>:500
    016 [Fri 20:38:08] loading secrets from "/etc/ipsec.secrets"
    017 [Fri 20:38:08] ERROR "/etc/ipsec.secrets" line 2: index "XXX.dyndns.org" does not look numeric and name lookup failed
    018 [Fri 20:38:17] packet from <friend's IP>:500: initial Main Mode message received on <my IP>:500 but no connection has been authorized
    019 [Fri 20:38:37] packet from <friend's IP>:500: initial Main Mode message received on <my IP>:500 but no connection has been authorized

    I have the remote secure gateway set for my friend's dyndns address. What is that ipsec.secrets line about?

    Has anyone had any luck with IPSEC tunnels between the 200 and the 54G?

  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    I run tunnels between the two all of the time :) First thing to do is to use a stable firmware set for both, so "I personally" suggest 1.0.21 for your WRV200 and 2.37.13 for your WRV54G. Now, here's the "straight shizell" on getting connected:

    - Make sure IPSEC is enabled
    - Make sure tunnel is enable

    Of course, there's the settings:

    Router #1 (WRV54G)

    Local Secure Group:
    Setting: Subnet

    Remote Secure Group:
    Setting: Subnet

    Remote Secure Gateway: (WAN IP of WRV200)
    Setting: IP Address

    Router #2 (WRV200)

    Local Secure Group:
    Setting: Subnet

    Remote Secure Group:
    Setting: Subnet

    Remote Secure Gateway: (WAN IP of WRV54G)
    Setting: IP Address

    Make sure to "always" put your routers on "different" subnets (as shown above" otherwise the router will think it's trying to connect to its own local LAN and drop the connection request. Oh, and use another logging tool (Wall Watcher is an excellent choice).

    From here on out, make sure whatever settings you choose for encryption, algorithm, PFS and key lifetime settings match.

    This is just a "basic" illustration of how to connect your tunnels together; once you get this down solid, then you can get "fancy" with it.

    Additionally, here's a tutorial I put together on making "site-to-site" connections with SOHO routers:


    I've always felt it's easier to learn it if you can see it...

  3. Frosty99

    Frosty99 Network Guru Member

    I am running 1.0.23 on the WRV200 and 2.38.6 on the WRV54G. Kosher?

    In the video, you show the local and remote secure group IPs as the router's IP addresses (ex. but in the directions in your reply shows (which is how I have mine set). Which to use?

    I am using FQDN's for both Remote Secure Gateways. My ISP is cable and the other site is on DSL... both are not static IPs so I figured FQDNs would allow me to connect even if the IPs changed. Kosher?

    When you say IPSEC enabled, is that the passthrough setting enabled? If so, it is.

    The log I had stated the IPSEC Secrets didn't recognize the DDNS FQDN. Any thoughts on that?

    Also... I am seeing that the remote management interface of my WRV200 isn't working. I am at work now, but I've had other friends check it as well. Seems no one can access the interface for my router. Is that an issue with 1.0.23?

  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    The firmware versions you have are fine; I stated 1.0.21 and 2.37.13 due to proven stability, but as long as they connect, that's all that matters in the short term.

    Regarding the directions I gave you, those were just examples to follow; the main thing is that if one of your networks is, the other one needs to be "anything else" (i.e., other than

    Generally speaking, your non-static ip's will hold on your modem's as long as you don't clone new MAC id's, power the unit off for a significant period of time or switch them out. When Toxic and I test vpn connections with our routers (WRV200's, my WRV54G/SMCBR18VPN, his RVL200/RV042) we generally have no problems connecting even though I'm on ADSL static and he has dhcp cable (modem). Yes, ideally it's good to have static, but hey, you have to work with what you have. I would suggest trying to connect as I'd previously mentioned to see if that will make a difference. At this juncture, you know what doesn't work; try something different :) If connecting via FQDNS hasn't worked, that should be your signal the FQDNS on one or both routers isn't functioning; it could be firmware or configuration, but for the time being, take a different approach and come back to that problem at a later point in time. Trust me, the problem will still be there...

    We've seen consistent issues with the webgui not reseponding to request across the internet throughout all versions of the WRV200 firmware...

    As stated by the developers, the wegui managment interface will not work if "DOS prevention" is enabled, therefore it's suggested to turn it off. Just in case you're wondering, turning it off "will not" disable your firewall. I kinda dislike the fact the firewall can't be configurable, much less be turned on and off, but for the features that come with the wrv200, I personally can live with it :)

    So, in short, try using the "subnet" option with ip addresses for both routers and see if there is any difference.

  5. Frosty99

    Frosty99 Network Guru Member

    Ok I'll try that ASAP tonight.

    1) My local & remote secure groups are both on "subnet" with my end being and the other end ( -Should be ok there.

    2) I'll change the Secure Remote Gateways on both ends to the WAN IPs. -Any idea why FQDNs wouldn't work? It worked with 2 WRV54Gs when I was in Turkey.

    3) I'll kill the "DOS prevention" option and retest the webgui.

    I guess now I wait for 1.0.24...

    Thanks for the help Jay!

  6. ifican

    ifican Network Guru Member

    Yes initially your issue was that you had the Remote Secure Gateway on the WRV200 set to FQDN instead of IP address. Now as far as the remote webgui, in my experience i have not had an issue leaving dos prevention enabled, but what i have noticed is the router will just get hung up for no reason every once in a while and you have to hard reboot to get it working correctly again. Now it never really stops working, it still forwards traffic and acts like a router, but the webgui and the ipsec tunnels seem to stop.
  7. Frosty99

    Frosty99 Network Guru Member

    When you say hard reboot, do you mean power cycle it? Or use the reset pushbutton on the back?

  8. cactusfazer

    cactusfazer Network Guru Member

    make sur you have 1.0.23ETSI or 1.0.24US because there are some problems with dyndns on the previous version.
  9. Frosty99

    Frosty99 Network Guru Member

    I just downloaded 1.0.24 and I'll be installing it tonight. Thanks!

    BTW... do you copy your config, and restore it after the upgrade? Or hand program each setting after upgrading?

  10. Frosty99

    Frosty99 Network Guru Member

    I have the tunnel up and running on FQDN. I am still having issues with the webgui.
  11. ifican

    ifican Network Guru Member

    When i say hard reboot just a power cycle will do. And in regards it is recommended that you backup everything, for me, i never do and just upgraded with no issues, however i do not recommend anyone doing that unless they dont mind having rebuilding their config from scratch if something goes wrong. Let us know how it goes and if you get the tunnel up. Also if you would like to test contact me offline and i will help you build a tunnel from you to me so you can better understand how it works and what you should be seeing.
  12. Frosty99

    Frosty99 Network Guru Member

    ifican -

    Thanks mate. I got the tunnel going. Any ideas about the web gui?

  13. ifican

    ifican Network Guru Member

    Unfortunately no, i dont see that issue, except when it just locks up but still works, usually after about 2 weeks or so but i run currently 2 ipsec tunnels and occasionally quickvpn in so i would expect that it would hang up now and then. When i do notice, i reboot when i get home and all is fine again. I will find out how .24 works over the next couple of weeks.

    What settings do you have in regards to remote management. I currently have local lan access set to just http, but https and remote management enabled for any ip for the port i have chosen for connecting from the outside.
  14. Frosty99

    Frosty99 Network Guru Member

    Remote Management: Enabled
    Use Https: Enabled
    Allow any IP: Enabled
    Port: 443
  15. ifican

    ifican Network Guru Member

    Try a different port, I have had lots of issues getting anything to work correctly sitting on port 443.
  16. Frosty99

    Frosty99 Network Guru Member

    I tried killing HTTPS entirely and I still can't access it. I just get a "page not found" error.

    I wanted to use 443 because that's the only port I can use from my office to check the status of my router at home.
  17. ifican

    ifican Network Guru Member

    What do you mean you killed Https completely? If you mean you shut it off and are just trying http most isp block inbound port 80 so thats most likely not going to work. I just sent you a PM (private message), check your box and give that a try, let me know how that works out and we can move forward from that point.
  18. HughR

    HughR LI Guru Member

    Openswan stores secrets (preshared secrets, private RSA keys) in the file /etc/ipsec.secrets
    The webgui is surely setting this file up.

    You used a domain name for referencing your friend's system. When ipsec.secrets was loaded by Pluto (the keying daemon), the domain name could not be resolved. I cannot tell from this log why it could not be resolved.

    You should be able find a man page ipsec.secrets(5) in the GPLed source code.
  19. cactusfazer

    cactusfazer Network Guru Member

    ipsec work well between my WRV200 (endpoint) and my WRV54G. If you want, i can send you screens of my configuration.

Share This Page