1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems with connecting Windows XP VPN CLient and RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by mcheben, Mar 27, 2007.

  1. mcheben

    mcheben LI Guru Member

    Hello,
    I have RV042 and some windowx xp vpn client users (L2TP). RV042 is configured to not pass through L2TP and IPSEC packets. Group VPN for MS XP/2000 clients is also configured. If I'm "dialin" connection from client computers, log on RV42 shows this:
    Code:
    Mar 27 19:59:08 2007	     VPN Log	    Ignoring Vendor ID payload Type = [MS NT5 ISAKMPOAKLEY 00000005]
    Mar 27 19:59:08 2007	   Connection Accepted	   UDP xx.xx.xx.xx:500->yy.yy.yy.yy:500 on ppp0
    Mar 27 19:59:08 2007	    VPN Log	   Ignoring Vendor ID payload [4a131c8107035845...]
    Mar 27 19:59:08 2007	    VPN Log	   Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Mar 27 19:59:08 2007	    VPN Log	   Ignoring Vendor ID payload Type = [FRAGMENTATION]
    Mar 27 19:59:08 2007	    VPN Log	   Ignoring Vendor ID payload [fb1de3cdf341b7ea...]
    Mar 27 19:59:08 2007	    VPN Log	   Ignoring Vendor ID payload [26244d38eddb61b3...]
    Mar 27 19:59:08 2007	    VPN Log	   Ignoring Vendor ID payload [e3a5966a76379fe7...]
    Mar 27 19:59:08 2007	    VPN Log	   [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Mar 27 19:59:08 2007	    VPN Log	   Create a temporary connection for incoming Microsoft VPN Client negotiation packet.
    Mar 27 19:59:08 2007	    VPN Log	   Responding to Main Mode from unknown peer xx.xx.xx.x
    Mar 27 19:59:08 2007	    VPN Log	   No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting
    Is possible to use bultin windows IPSec/L2TP client do "dial" connection to RV042?
    RV042 has 1.3.7.2 firmware, as unpacked from box.
    Is firmware on US pages usable for european RV042? I think that is, but I don't understand why on EU pages is only 1.6.x firmware?
    PPTP working fine, but I need to separate clients on WAN1 and on WAN2 (via accesible IP range on VPN connection).
    Any suggestion what can be wrong with my configuration?
     
  2. mcheben

    mcheben LI Guru Member

    little progress, but unfortunately no solution :(
    Previous post contains messages which can be still found if connecting from Vista. This is log for connecting from XP computer:
    Code:
    Apr 2 15:57:27 2007	    VPN Log	   Ignoring Vendor ID payload Type = [MS NT5 ISAKMPOAKLEY 00000004]
    Apr 2 15:57:27 2007	   Connection Accepted	   UDP xx.xx.xx.xx:500->yy.yy.yy.yy:500 on ppp0
    Apr 2 15:57:27 2007	    VPN Log	   Ignoring Vendor ID payload Type = [FRAGMENTATION]
    Apr 2 15:57:27 2007	    VPN Log	   Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Apr 2 15:57:27 2007	    VPN Log	   Ignoring Vendor ID payload [26244d38eddb61b3...]
    Apr 2 15:57:27 2007	    VPN Log	   [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Apr 2 15:57:27 2007	    VPN Log	   Create a temporary connection for incoming Microsoft VPN Client negotiation packet.
    Apr 2 15:57:27 2007	    VPN Log	   Responding to Main Mode from unknown peer yy.yy.yy.yy
    Apr 2 15:57:27 2007	    VPN Log	   [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    Apr 2 15:57:27 2007	    VPN Log	   [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
    Apr 2 15:57:27 2007	    VPN Log	   [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
    Apr 2 15:57:28 2007	    VPN Log	   [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
    Apr 2 15:57:28 2007	    VPN Log	   Main mode peer ID is ID_IPV4_ADDR: '192.168.1.101'
    Apr 2 15:57:28 2007	    VPN Log	   [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
    Apr 2 15:57:28 2007	    VPN Log	   [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
    Apr 2 15:57:28 2007	    VPN Log	   [Tunnel Negotiation Info] Initiator Cookies = ad9a 4078 bdf fd81
    Apr 2 15:57:28 2007	    VPN Log	   [Tunnel Negotiation Info] Responder Cookies = 6bd6 3a28 b83d ece0
    Apr 2 15:57:28 2007	    VPN Log	   [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
    Apr 2 15:57:28 2007	    VPN Log	   Cannot respond to IPsec SA request because no connection is known for yy.yy.yy.yy:17/1701...xx.xx.xx.xx[vpnclient@microsoft.com]:17/1701===192.168.1.101/32
    Apr 2 15:57:29 2007	    VPN Log	   Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2b0d41af (perhaps this is a duplicated packet)
    Any suggestion what can be wrong
     
  3. aviegas

    aviegas Network Guru Member

    1) Try the newer firmware. I've never seen a RV042 that is not Version 1. I guess the version on the EU site is related to support. But I will not guarantee that it will work. Maybe some other European user can share a line on that....

    2) You second log looks like the one I get when connecting from a Vista machine using a QuickVPN type setup. I've tried several ways to get Vista to connect.... still trying....

    3) QuickVPN can be a solution for you, but it will not allow you to select the incoming port, so it's like using PPTP

    4) You may try to write a script to issue the IPSec commands on XP/2000 and even Vista, but that will be quite hard to accommodate the needs for a road warrior type user. Is this what you want? Or are the VPN users behind static IPs?
     
  4. mcheben

    mcheben LI Guru Member

    Thats strange, that device like RV042 have differentt "actual" version in europe and US :)

    Log in the first post is from Vista, the second one is from XP SP2.

    QuickVPN is solution only for windows XP based computers. I have many Windows Mobile and Symbian devices with "must have" IPSec connection.

    Now I see this is only solution, but first I must be sure, that RV042 accepts connection from XP/2000 windows builtin IPSEC Wan adapter. The strange thing that comes with testing ipsec with rv042 is, that I lose all wan adapters in XPP. If anyone needs to reinstall then, use devcon.exe install <nameoftheadapter>.
     
  5. aviegas

    aviegas Network Guru Member

    Never said there were different version. I do not think there is more than one version of this router around, although I've seen claims that newer routers have a different PCB (different circuitry at least on the power supply part). But these changes did not caused a change in version, so the say firmware applies.

    Based on some testes I've done, I was never able to make this router talk to a Vista machine, using the same strategies I can use in a 2000/XP machine. I've tried a gateway-user connection and simulating QuickVPN. Nothing flows on the first case and I cannot get past Phase 2 (quick mode) in QuickVPN mode.

    As for the error in your first trace, the proposal is wrong. You need to adjust what microsoft call "security modes". I got it to work with the following proposal "3DES-SHA1-2 3DES-MD5-2 3DES-SHA1-3".

    As for the second trace. I'm stuck there too with Vista.....

    The problem is the "dynamic" nature of the clients. The only support built into the RV0xx routers for dynamic remote users is QuickVPN. It's not hard to "simultate" it, provided that you IPSec implementation on the remote end helps. I can simulate a QuickVPN in XP, but the same approach fails miserably on Vista.

    IPSec WAN adapter under XP? As far as I now, "native MS" IPSec is implemented under 2000/XP/2003/Vista as filters/policies (terrible way to do it).

    QuickVPN uses the native Windows XP/2000 code. It's just a shell to tell the RV0xx (and similar routers) to create a dynamic connection and return the associated PSK. Then QuickVPN sets up a set of policy based IPSec rules and voila! When the user disconnect, QuickVPN tells the RV0xx to "destroy" the connection. The initial and final handshakes are based on HTTPS, so really simple to implement.
     
  6. mcheben

    mcheben LI Guru Member

    Sorry, my fault. I mean PPTP WAN adapter.
    Back to the IPSec/L2TP under XP. I think (and user manual ensures me), that rv042 supports XP L2TP client via group VPN. But as you see, my results are very bad :(
     

Share This Page