1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPSEC VPN Tunnel Reseting itself between RV042 and WAG54G

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by mmcalis1, Nov 18, 2005.

  1. mmcalis1

    mmcalis1 Network Guru Member

    This has stumped me!

    For yonks I have had a wonderfully stable VPN tunnel running between my Linksys WAG54G Wireless Gateway at home and a Netgear FVS318 at the office.

    Then as my needs have changed I needed dual WAN for the office so I bought a RV042 - now the same VPN tunnel seems to reset itself very minute - aslmost on the dot - see the log from the WAG54G below:

    START----

    2005-11-17 22:00:21 IKE[1] Rx << Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:00:21 IKE[1] Tx >> Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:00:21 IKE[1] Rx << Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:00:21 IKE[1] Tx >> Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:00:21 IKE[1] Rx << AG_I1 : 82.xx.xx.xxx SA, KE, NONCE, ID, VID
    2005-11-17 22:00:21 IKE[1] ISAKMP SA CKI=[xxxxxxx xxxxxxx] CKR=[xxxxxxx xxxxxxx]
    2005-11-17 22:00:21 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_768
    2005-11-17 22:00:21 IKE[1] Tx >> AG_R1 : 82.xx.xx.xxx SA, KE, Nonce, ID, HASH
    2005-11-17 22:00:22 IKE[1] Rx << AG_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:00:23 IKE[1] Rx << QM_I1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:00:23 IKE[1] Tx >> QM_R1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:00:24 IKE[1] Rx << QM_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:00:24 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[xxxxxxx:xxxxxxx]
    2005-11-17 22:00:24 IKE[1] Set up ESP tunnel with 82.xx.xx.xxx Success !
    2005-11-17 22:00:24
    2005-11-17 22:01:13 IKE[1] Rx << Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:01:13 IKE[1] Tx >> Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:01:13 IKE[1] Rx << Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:01:13 IKE[1] Tx >> Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:01:13 IKE[1] Rx << AG_I1 : 82.xx.xx.xxx SA, KE, NONCE, ID, VID
    2005-11-17 22:01:13 IKE[1] ISAKMP SA CKI=[xxxxxxx xxxxxxx] CKR=[xxxxxxx xxxxxxx]
    2005-11-17 22:01:13 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_768
    2005-11-17 22:01:13 IKE[1] Tx >> AG_R1 : 82.xx.xx.xxx SA, KE, Nonce, ID, HASH
    2005-11-17 22:01:15 IKE[1] Rx << AG_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:01:15 IKE[1] Rx << QM_I1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:01:15 IKE[1] Tx >> QM_R1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:01:16 IKE[1] Rx << QM_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:01:16 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[xxxxxxx:xxxxxxx]
    2005-11-17 22:01:16 IKE[1] Set up ESP tunnel with 82.xx.xx.xxx Success !
    2005-11-17 22:01:16
    2005-11-17 22:02:05 IKE[1] Rx << Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:02:05 IKE[1] Tx >> Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:02:05 IKE[1] Rx << Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:02:05 IKE[1] Tx >> Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:02:05 IKE[1] Rx << AG_I1 : 82.xx.xx.xxx SA, KE, NONCE, ID, VID
    2005-11-17 22:02:05 IKE[1] ISAKMP SA CKI=[xxxxxxx xxxxxxx] CKR=[xxxxxxx xxxxxxx]
    2005-11-17 22:02:05 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_768
    2005-11-17 22:02:05 IKE[1] Tx >> AG_R1 : 82.xx.xx.xxx SA, KE, Nonce, ID, HASH
    2005-11-17 22:02:07 IKE[1] Rx << AG_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:02:07 IKE[1] Rx << QM_I1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:02:07 IKE[1] Tx >> QM_R1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:02:23 IKE[1] Rx << QM_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:02:23 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[xxxxxxx:xxxxxxx]
    2005-11-17 22:02:23 IKE[1] Set up ESP tunnel with 82.xx.xx.xxx Success !
    2005-11-17 22:02:23
    2005-11-17 22:03:12 IKE[1] Rx << Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:03:12 IKE[1] Tx >> Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:03:12 IKE[1] Rx << Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:03:12 IKE[1] Tx >> Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:03:13 IKE[1] Rx << AG_I1 : 82.xx.xx.xxx SA, KE, NONCE, ID, VID
    2005-11-17 22:03:13 IKE[1] ISAKMP SA CKI=[xxxxxxx xxxxxxx] CKR=[xxxxxxx xxxxxxx]
    2005-11-17 22:03:13 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_768
    2005-11-17 22:03:13 IKE[1] Tx >> AG_R1 : 82.xx.xx.xxx SA, KE, Nonce, ID, HASH
    2005-11-17 22:03:14 IKE[1] Rx << AG_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:03:14 IKE[1] Rx << QM_I1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:03:14 IKE[1] Tx >> QM_R1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:03:16 IKE[1] Rx << QM_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:03:16 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[xxxxxxx:xxxxxxx]
    2005-11-17 22:03:16 IKE[1] Set up ESP tunnel with 82.xx.xx.xxx Success !
    2005-11-17 22:03:16
    2005-11-17 22:04:04 IKE[1] Rx << Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:04:04 IKE[1] Tx >> Delete ESP_SA : spi = xxxxxxx
    2005-11-17 22:04:04 IKE[1] Rx << Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:04:04 IKE[1] Tx >> Delete ISAKMP_SA : cookie xxxxxxx xxxxxxx | xxxxxxx xxxxxxx
    2005-11-17 22:04:05 IKE[1] Rx << AG_I1 : 82.xx.xx.xxx SA, KE, NONCE, ID, VID
    2005-11-17 22:04:05 IKE[1] ISAKMP SA CKI=[xxxxxxx xxxxxxx] CKR=[xxxxxxx xxxxxxx]
    2005-11-17 22:04:05 IKE[1] ISAKMP SA 3DES / MD5 / PreShared / MODP_768
    2005-11-17 22:04:05 IKE[1] Tx >> AG_R1 : 82.xx.xx.xxx SA, KE, Nonce, ID, HASH
    2005-11-17 22:04:06 IKE[1] Rx << AG_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:04:06 IKE[1] Rx << QM_I1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:04:06 IKE[1] Tx >> QM_R1 : 82.xx.xx.xxx HASH, SA, NONCE, KE, ID, ID
    2005-11-17 22:04:07 IKE[1] Rx << QM_I2 : 82.xx.xx.xxx HASH
    2005-11-17 22:04:07 IKE[1] ESP_SA 3DES / MD5 / 3600 sec / SPI=[xxxxxxx:xxxxxxx]
    2005-11-17 22:04:07 IKE[1] Set up ESP tunnel with 82.xx.xx.xxx Success !
    2005-11-17 22:04:07

    ---END

    When I ping a machine in the office from my home machine I get lovely pings for a minute then a request timeout message that coincides with the Rx << Delete ESP_SA : spi = line in the WAG54G log.

    I can only conclude that the RV042 keeps reseting my vpn tunnel correct? if so how can I stop it?

    BTW - The connection is as follows:

    Office----RV042-----DLinkDSL300T-----Internet-------WAG54G----Home

    I have also tried a D-Link 300G+ instead of the DSL300T and that seemed to reduce the 1 minute down to 30secs.

    The fact that it is almost exactly 1 minute intervals must be by design! is there a setting somewhere?

    I am using IPSEC Gateway to Gateway VPN

    Both Phase 1 and Phase 2 are 3DES/Group 1/MD5

    Basically the setting are default - I have also tried both Main Mode and Aggressive mode.

    I am using Keep-alive at both ends.

    The downside to all this is when I use Remote Desktop - it kindly informs me I have a newtwork problem when this happens!!!

    Both routers have MTU set to Auto.

    Could it be the D-Link DSL modems?

    Please help as I am tearing my hair out!

    M :sadbye:
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Try setting the MTU on both routers to "1350." If your tunnel is resetting like that, you may have "giants" (overly large packets) intermittently clogging the transmission.

    Doc
     
  3. mmcalis1

    mmcalis1 Network Guru Member

    Thanks Doc - I will try that tonight and get back to you.

    M
     
  4. mmcalis1

    mmcalis1 Network Guru Member

    Tried the MTU setting but no luck.

    After that I found some info on this site stating that VPN tunnels get reset if the lease time of your DHCP IP address expires.

    I then found a review of the DLink 300T Modem and one critism of the modem was that the default setting for lease time on the DHCP server gving the IP address to the RV042 was set to 60 seconds - I changed it to 28800 seconds and it solved it!

    Hurray!
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    Nice one! See if you can get toxic to post that as information to other RV owners.

    Doc
     
  6. TazUk

    TazUk Network Guru Member

    Yeh I've had problems with the older D-Link DSL-300G and Linksys routers. Quite why the default lease time is so short I don't know :thumbdown:
     
  7. prik

    prik Network Guru Member

    I can confirm both the problem and the solution.

    I'm using a RV082 connected to a Speedtouch 510i with DHCP spoofing. The default DHCP lease time was 30 seconds! After increasing it to 86400 seconds, the problem was gone. I still have to try if a DHCP lease time of 0 gives me infinity...
     

Share This Page