Linksys RV042 VPN To Cisco 871 Router with IOS 12.4

I've read on here that it can be done, my router has the vpn feature set, i've found several config's most wont work. any one have any pointer's i'm almost a ccna, so i'm fairly comfortable with the cisco aspect.. any help is greatly appreciated...

 

What I have you tried thus far. It can be a little tricky but its still pretty straight forward. If you would post the cisco config and well have a look at it, just be sure to to change any relevant info before.

 

Here is the config, the software version is flash:c870-advsecurityk9-mz.124-4.T7.bin
Its an 871W by the way..

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname catter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.29.0.1
!
ip dhcp pool sdm-pool1
import all
network 10.29.0.0 255.255.255.0
default-router 10.29.0.1
dns-server 65.24.7.3 65.24.7.6
!
!
!
crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 6 linksys address REMOTE SITE
crypto isakmp key 6 linksys address 10.1.1.1
crypto isakmp key 6 linksys address 10.1.1.2
!
!
crypto ipsec transform-set my-set esp-3des esp-md5-hmac
!
crypto map linksys 15 ipsec-isakmp
! Incomplete
set peer REMOTE SITE
set transform-set my-set
set pfs group2
match address 101
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map linksys
!
interface Dot11Radio0
no ip address
!
ssid Mike's Hard Wireless
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.29.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.29.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

the local lan on the cisco is ip 10.29.0.x

remote site on the linksys is 10.29.1.x

Linksys Config:

static external IP,

Tunnel No: 1
Tunnel Name:test
Interface:WAN1
Enable: tick

Local Security Gateway Type: IP Only
IP Address:localhost
Local Security Group Type: Subnet
IP Address: 10.29.1.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: remotehost
Local Security Group Type: Subnet
IP Address: 10.29.0.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared Key
Phase 1 DH Group: Group 2
Phase 1 Encryption: 3DES
Phase 1 Authentication: MD5
Phase 1 SA Lifetime: 28800

Perfect Forward Secrecy: tick
Phase 2 DH Group: Group 2
Phase 2 Encryption: 3DES
Phase 2 Authentication: MD5
Phase 2 SA Lifetime: 28800
Preshared Key: Linksys

Aggressive Mode: Tick
Keep Alive: Tick


tried this config based on http://www.linksysinfo.org/forums/showthread.php?t=34334

Any help's greatly appreciated

 

Ok Ill get this as close as I can but there is not enough info here to complete, I will put what i can in ( ) with notes. Make the following changes too:

crypto isakmp policy 15
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key linksys address (wan ip of linksys)
!
!
crypto ipsec transform-set my-set esp-3des esp-md5-hmac
!
!
crypto map linksys 15 ipsec-isakmp
set peer (wan ip of linksys)
set transform-set my-set
set pfs group2
match address 101
!
!
access-list 101 permit ip 10.29.0.0 0.0.0.255 10.29.1.0 0.0.0.255
!
!
Now also remove the statement "ip access-group 101 in" from interface FE4

Now I am not familiar with the RV series but most vpn's are about the same. What ip appears you are missing with the linksys config is a setting for “Remote Secure Gateway” which is going to be the Wan ip of the cisco router. Everything else looks ok, give it a try and let me know if you have any questions.

 

ifican, thanks for the help, the changes you suggested work, and now the tunnel's established.. looks like i just had a couple syntax errors... now i just have to figure out why i cant ping across it.. seems like i may have a bad access list somewhere..

 

as far as i know ping isn't blocked but it appears to not pass any traffic http/ping/remote desktop etc. but the tunnel according to the cisco and the linksys is established

 

i got it working, looks as though my ACL's were what was killing it... did some googleing and set up the private ips to bypass the nat and it passes thru fine.

 

Yes that is correct, by default all of your outgoing traffic is being nat'ed including the tunnel traffic, as you had discovered you have to deny the tunnel traffic on the same acl that you permit all other nat'ed traffic making sure you put the deny traffic first. I completely forgot to mention that but good work figuring it out.