1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

replaced on end of BEFSX41 tunnel with RV082 Now VPN won't connect.

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by toddah, Apr 15, 2007.

  1. toddah

    toddah LI Guru Member

    Hi all,
    I have a fully functional VPN site hooked up between 3 office locations using BEFSX41 box's. I am trying to replace the main office 41 with a new RV082 to allow more site connections for a new office.
    I copied all of the configurations from the main site 41 onto the 82 and plugged it in, one site connects (charter Connection) just fine but the second site (SBC DSL) refuses to connect. I have been over all teh Ipsec settings until I cannot see straight and I can see nothing wrong.

    Error log:

    Main mode peer ID is ID_IPV4_ADDR: '70.226.184.225'
    Apr 15 07:03:38 2007 VPN Log No suitable connection for peer '70.226.184.225', Please check Phase 1 ID value
    Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
    Apr 15 07:03:57 2007 VPN Log [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
    Apr 15 07:03:58 2007 VPN Log probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
    Apr 15 07:03:59 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet

    If I put the 41 back everything pops up and runs.

    The 82 Ipsec is setup like this

    IKE with Preshared Key
    PH 1 Group 1
    Ph1 DES
    SHA1
    3600

    PFS = on

    Group 1
    3DES
    SHA1
    28800

    Key is the same on both ends

    The only difference I can see is the BEFSX41 only has a SHA and not a SHA1 setting in the selections, But the working 41 on the second line only has the same thing and it is working fine.

    SBC line has a netopia router talking to the net and my The 41 is behind it.
     
  2. toddah

    toddah LI Guru Member

    From the RV082 log

    Main mode peer ID is ID_IPV4_ADDR: 'XX.XXX.XXX.225'
    Apr 15 09:19:19 2007 VPN Log We require peer to have ID 'XX.XXX.XXX.230', but peer declares 'XX.XXX.XXX.225'
    Apr 15 09:19:29 2007 VPN Log Received informational payload, type INVALID_PAYLOAD_TYPE
    Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
    Apr 15 09:19:41 2007 VPN Log [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
    Apr 15 09:19:42 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet

    xx.xxx.xxx.25 is the BEFsx41
    xx.xxx.xxx.30 is the Netopia SBC router


    From the 41 log ::::::xx.xxx.xxx.89 = the RV082 IP address

    2007-04-15 09:19:25 IKE[2] Tx >> Notify : INVALID-PAYLOAD-TYPE
    2007-04-15 09:19:36
    2007-04-15 09:19:36 IKE[1] Tx >> MM_I1 : xx.xxx.xxx.146 SA
    2007-04-15 09:19:36
    2007-04-15 09:19:36 IKE[2] Tx >> MM_I1 : xx.xxx.xxx.89 SA
    2007-04-15 09:19:37 IKE[2] Rx << MM_R1 : xx.xxx.xxx.89 SA, VID
    2007-04-15 09:19:37 IKE[2] ISAKMP SA CKI=[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
    2007-04-15 09:19:37 IKE[2] ISAKMP SA DES / SHA / PreShared / MODP_768 / 3600 sec (*3600 sec)
    2007-04-15 09:19:37 IKE[2] Tx >> MM_I2 : xx.xxx.xxx.89 KE, NONCE
    2007-04-15 09:19:37 IKE[1] Rx << MM_R1 : xx.xxx.xxx.146 SA
    2007-04-15 09:19:37 IKE[1] ISAKMP SA CKI=[xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    2007-04-15 09:19:37 IKE[1] ISAKMP SA DES / SHA / PreShared / MODP_768 / 3600 sec (*3600 sec)
    2007-04-15 09:19:37 IKE[1] Tx >> MM_I2 : xx.xxx.xxx.146 KE, NONCE
    2007-04-15 09:19:37 IKE[2] Rx << MM_R2 : xx.xxx.xxx.89 KE, NONCE
    2007-04-15 09:19:37 IKE[2] Tx >> MM_I3 : xx.xxx.xxx.89 ID, HASH
    2007-04-15 09:19:38 IKE[1] Rx << MM_R2 : xx.xxx.xxx.146 KE, NONCE
    2007-04-15 09:19:38 IKE[1] Tx >> MM_I3 : xx.xxx.xxx.146 ID, HASH
    2007-04-15 09:19:39 IKE[1] Rx << MM_R3 : xx.xxx.xxx.146 ID, HASH
    2007-04-15 09:19:39 IKE[1] Tx >> QM_I1 : xx.xxx.xxx.146 HASH, SA, NONCE, KE, ID, ID
    2007-04-15 09:19:40 IKE[1] Rx << Notify : PAYLOAD-MALFORMED
    2007-04-15 09:19:40 IKE[1] **Check your PFS setting !
    2007-04-15 09:19:45 IKE[8] **Check your ISAKMP Pre-share Key setting !
    2007-04-15 09:19:45 IKE[8] Tx >> Notify : INVALID-PAYLOAD-TYPE
     
  3. pablito

    pablito Network Guru Member

    Have you tried using 3DES/MD5/Group5/PFS settings? That might have an easier time authenticating.
     
  4. aviegas

    aviegas Network Guru Member

    There seems to be some NAT problems if you are seeing messages like

    Apr 15 09:19:19 2007 VPN Log We require peer to have ID 'XX.XXX.XXX.230', but peer declares 'XX.XXX.XXX.225'

    But without the diagram and real addresses I can't know for sure.

    Also, it may be some settings mismatch. Try using 3DES on the main mode.
    I'm not sure the BEFSX41 can do Group5 (I guess only 1 and 2)
     
  5. toddah

    toddah LI Guru Member

    Is there a difference in the way an 082 and a 41 handle natting on the far end? if I place the original 41 back into the main office location everything runs fine. I tried DES and Manual on both ends and no Happyness.
    The netopia SBC router is the xxx.226.184.230
    the 41 sitting behind it is the xxx.226.184.225
    All works fine with 2 41's just not the 082
     
  6. pablito

    pablito Network Guru Member

    I don't know if there is a difference, there shouldn't be. A few things, make sure the RV8 is on the latest release. Make sure you are selecting NAT Traversal in the Advanced options for the tunnel. We'll assume that your router can pass VPN since the other one worked. I would also suggest trying with the tried and true 3DES/MD5 settings. I have one VPN that only works with that.
     
  7. pablito

    pablito Network Guru Member

    I don't know if there is a difference, there shouldn't be. A few things, make sure the RV8 is on the latest release. Make sure you are selecting NAT Traversal in the Advanced options for the tunnel. We'll assume that your router can pass VPN since the other one worked. I would also suggest trying with the tried and true 3DES/MD5 settings. I have one VPN that only works with that.
     
  8. aviegas

    aviegas Network Guru Member

    As far as I know, both will translate the packets in the same way (NAT). But the problem in this case is not the RV or the BEF routers, but rather yet another router on the way, usually a router used to connect to the ISP (in you case I guess is the SBC DLS right?). Where is the DSL connection (PPPoE typically for SBC) handled? If it's done by the DSL modem, then that is a possible cause. The VPN code in the BEF is not the same as in the RV, so there might be some small difference that the router code in the DSL modem is failing to see.

    Another possibility, if indeed you have a combined modem/router, is that it can handle only 1 VPN passthru (NAT) and for some reason it's being "locked" to the BEF (do you power cycle the modem?).
     
  9. cybermud

    cybermud LI Guru Member

    Were you able to find a solution to this Toddah? I am having the same problem...
     
  10. misape

    misape Guest

    Hei Toddah.

    Did You get Your problem solved or? Because I have the similar problem With one befsx 41 behind a Zyxel dlsmodem / router and Rv082. The Rv082 replace befvp41. There were no problems about the connection with befvp41.
    I do hope You have got an answer You wish to share.
    New user at this site, misape
     

Share This Page