1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPSEC VPN Tunnel RVL200 --> Cisco 1721

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by pickseed, Mar 15, 2007.

  1. pickseed

    pickseed LI Guru Member

    I am trying to connect an RVL200 to a Cisco 1721 router with an IPSEC VPN.

    We have been using BEFSX41's for quite some time now without many problems. I want to upgrade for the increased throughput mainly.

    I can't seem to get the VPN client in the RVL200 to connect to the Cisco 1721.

    For reference, here are the settings from the BEFSX41:

    tunnel name: mars

    Local Secure Group:
    Type=Subnet
    IP=192.168.6.1
    Mask=255.255.255.0

    Remote Secure Group:
    Type=Subnet
    IP=192.168.1.134
    Mask=255.255.255.0
    Remote Security Gateway:
    Type=IP Addr.
    IP= xxx.xxx.xxx.xxx

    Encryption: DES
    Authentication: SHA
    Key Management: Auto (IKE)
    PFS: Disabled
    PSK: <hidden>
    Key Lifetime: 1000

    Here is what I have set on the RVL200:

    Tunnel Name: mars

    Local Security Gateway Type: IP Only
    IP address: yyy.yyy.yyy.yyy
    Local Security Group: 192.168.6.0
    Subnet Mask: 255.255.255.0

    Remote Security Gateway Type: IP Only
    IP Address: xxx.xxx.xxx.xxx
    Remote Security Group Type: Subnet
    IP Address: 192.168.1.0
    Subnet Mask: 255.255.255.0

    Keying Mode: IKE with Preshared Key
    Phase1 DH Group: Group1
    Phase1 Encryption: DES
    Phase1 Authentication: SHA1
    Phase1 SA Lifetime: 1000
    Perfect Forward Secrecy: <uncheched>

    Phase2 Encryption: DES
    Phase2 Authentication: SHA1
    Phase2 SA Life Time: 1000
    Preshared Key: <hidden>

    When I apply these settings and try to connect to the VPN, I get the following in the IPSEC log:

    Mar 15 07:24:30 2007 VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
    Mar 15 07:25:01 2007 VPN Log Ignoring Vendor ID payload [439b59f8ba676c4c...]
    Mar 15 07:25:01 2007 VPN Log Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]
    Mar 15 07:25:01 2007 VPN Log Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Mar 15 07:25:01 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Mar 15 07:25:01 2007 VPN Log No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting

    Can anyone lead me in the right direction?
     
  2. ifican

    ifican Network Guru Member

    So your yyy.yyy address is your wan address for your rvl and your xxx.xxx address is your wan ip for your router? Also you are certain that you have input the right key?
     
  3. pickseed

    pickseed LI Guru Member

    Yes, the yyy is the WAN address of the RVL and the xxx is the WAN address of the Cisco.

    I have double checked the Pre-Shared key (even copied and pasted)
     
  4. ifican

    ifican Network Guru Member

    At this point debug the ike session on the router and see what it says. Your settings are basically the same but something is just enough off thats its causing phase 1 to die. The bef was set to auto ike, was it only capable of group 1 or was it potentially negotiating group 2?
     
  5. pickseed

    pickseed LI Guru Member

    Ok, I'm almost there now.

    There were some settings on the Cisco that the BEF must ignore.

    Now I have the VPN connected, but I can't ping anything from 192.168.1.x to 192.168.6.x. I can ping the public yyy.yyy.yyy.yyy address, but nothing internal.

    I have disabled "Block WAN Request". Is there a setting somewhere else?

    In order to get the RVL to connect, I had to make the changes in bold:

    Tunnel Name: mars

    Local Security Gateway Type: IP Only
    IP address: yyy.yyy.yyy.yyy
    Local Security Group: 192.168.6.0
    Subnet Mask: 255.255.255.0

    Remote Security Gateway Type: IP Only
    IP Address: xxx.xxx.xxx.xxx
    Remote Security Group Type: Subnet
    IP Address: 192.168.1.0
    Subnet Mask: 255.255.255.0

    Keying Mode: IKE with Preshared Key
    Phase1 DH Group: Group1
    Phase1 Encryption: DES
    Phase1 Authentication: MD5
    Phase1 SA Lifetime: 86400
    Perfect Forward Secrecy: <uncheched>

    Phase2 Encryption: DES
    Phase2 Authentication: SHA1
    Phase2 SA Life Time: 1000
    Preshared Key: <hidden>
     
  6. Toxic

    Toxic Administrator Staff Member

    Can you ping the internal gateway ip address? if so and your workstations are unable to be pinged, then try looking at software firewalls on each workstation. if windows firewalls are enabled you need to allow ICMP Echo requests on the firewalls for ping to work. have you tried to use the UNC path to a workstation with a share?
     
  7. ifican

    ifican Network Guru Member

    Post your router config or send me a PM to look at it, without seeing all the specifics i can only venture a guess.
     
  8. pickseed

    pickseed LI Guru Member

    I found the ping problem.

    I didn't notice that the computer I was pinging from on the 192.168.1.0 network didn't have the static route set up for the VPN gateway (We have 3 different internet connections at the head office).

    Everything looks good now.

    ifican: thanks for the help, your suggestion to check the ike settings on the Cisco is what helped me solve this!
     

Share This Page