1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV016 with 10 tunnels using RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by type_r, Nov 30, 2006.

  1. type_r

    type_r LI Guru Member

    Hello

    I am using the main router RV016 with 10 tunnels who are using RV042 but the tunnel will collapse one by one in a few hours.

    All 10 tunnels are in different locations and are configured in the same settings.

    I have tried several combinations but they also don;t last for more than a day.

    Now, I have to reboot my RV016 everyday and the all tunnels will re-establish again.

    Pls help me if you do have any ways of strengthening the tunnels.

    Thank you

    Vince
     
  2. Toxic

    Toxic Administrator Staff Member

    keep alive enabled on all routers? are the DPD and Lifetime key timings ALL the same?
     
  3. type_r

    type_r LI Guru Member

    Hello Simon
    =====================================================
    For the RV016 main VPN router, under the VPN tab (IPSec Setup) :
    Gateway to Gateway

    Keying mode : IKE with preshared key
    Phase1 DH Group : Group 1
    Phase1 Encryption : DES
    Phase1 Authentication : MD5
    Phase1 SA Lifetime : 28800 seconds
    Perfect Forward Secrecy : checked
    Phase2 DH Group : Group 1
    Phase2 Encryption : DES
    Phase2 Authentication : MD5
    Phase2 SA Lifetime : 28800 seconds
    Preshared Key : *****

    Advanced :

    Aggressive mode : checked
    Compress (Support IP payload Compression Protocol) : checked
    Keep Alive : checked
    AH Hash Algorithm : MD5
    NetBIOS broadcast : unchecked
    NAT Transversal : unchecked
    DPD interval : 10 seconds
    ========================================================

    For the RV042 (1 of 10) VPN router, under the VPN tab (IPSec Setup) :
    Gateway to Gateway

    Keying mode : IKE with preshared key
    Phase1 DH Group : Group 1
    Phase1 Encryption : DES
    Phase1 Authentication : MD5
    Phase1 SA Lifetime : 28800 seconds
    Perfect Forward Secrecy : checked
    Phase2 DH Group : Group 1
    Phase2 Encryption : DES
    Phase2 Authentication : MD5
    Phase2 SA Lifetime : 28800 seconds
    Preshared Key : *****

    Advanced :

    Aggressive mode : checked
    Compress (Support IP payload Compression Protocol) : checked
    Keep Alive : checked
    AH Hash Algorithm : MD5
    NetBIOS broadcast : unchecked
    *RV042 has no NAT Transversal option here*
    DPD interval : 10 seconds
    =========================================================

    What did I configure wrong?

    Regards

    Vince
     
  4. type_r

    type_r LI Guru Member

    Strongest connection

    Hi

    I have read thru some of the previous threads and it was suggested that phase 1 be stronger than phase 2.

    Anyone with settings that can last him/her for at least a month, or more?

    Any other settings that I should also take not of?

    I am also running a PAP2T voip behind each of the RV042 (data packet not going thru tunnel) and each time the tunnel collapses, I get screwed by user.

    Pls help if you have any good combinations of the vpn tunnels.

    Thanks

    Vince
     
  5. Toxic

    Toxic Administrator Staff Member

    I thought aggressive mode is better served for Software clients?

    best to use 3DES/SHA1 for both tbh. and group 2 DH try also removing

    the RV042 does support NAT Traversal if you use a newer firmware.
     
  6. Toxic

    Toxic Administrator Staff Member

    type_r what is the DHCP lease time from your modem?
     
  7. type_r

    type_r LI Guru Member

    Hello Simon

    Sorry, but I am using PPPoE, is there any way of finding the DHCP lease time?

    Regards

    Vince
     
  8. Toxic

    Toxic Administrator Staff Member

    can you login to the DSL modem and check?
     
  9. egyvoip

    egyvoip LI Guru Member

    The problem is:
    When RV016 rtp filling up it will reboot by it self reasoned all your VPNs connection down -solved at point 4-, Please check your System up time at System Summary page every time your VPNs down.

    This problem you will not face if you replace RV016 with RV042 but you still need high performance at main Location.

    So please do the following
    1- uncheck Aggressive mode at both side.
    2- check keep alive only on RV042.
    3- set DPD interval as 30 to save some process.
    4- think how to use RV016 to pass traffic from RV016-LAN to RV042-VPN only not from RV016-WAN to RV016-LAN then to RV042-VPN.
     
  10. type_r

    type_r LI Guru Member

    Egyvoip & Simon

    Thanks for the advice !

    Recently, I max out the Phase 1 (86400) and 2 (28800) life time.

    It does last a little longer but the tunnels STILL collapse one by one.

    Let me continue with that timing, and your advice on the RV016 first.

    If you think that this timing is also no good, please tell me.

    Regards

    Vince
     
  11. type_r

    type_r LI Guru Member

    Hello Egyvoip and Simon

    I tried to follow all your points but could only managed point 2 and 3.

    I also don;t quite get your Point 4 though. Please see below for Point 1.

    Current settings :

    ================================================== ===
    For the RV016 main VPN router, under the VPN tab (IPSec Setup) :
    Gateway to Gateway

    Tunnel No. : 1
    Tunnel Name : ***
    Interface : WAN 1
    Enable : checked

    Local Security Gateway Type : IP Only
    IP Address : xxx.xxx.xxx.xxx
    Local Security Group Type : Subnet
    IP Address : xxx.xxx.xxx.xxx
    Subnet Mask : xxx.xxx.xxx.xxx

    Remote Security Gateway Type : Dynamic IP + E-mail add (USER FQDN) Auth
    Email Address : ***@***.com
    Remote Security Group Type : IP
    IP : 192.168.1.XXX (*1 pls see below)

    Keying mode : IKE with preshared key
    Phase1 DH Group : Group 1
    Phase1 Encryption : 3DES
    Phase1 Authentication : SHA1
    Phase1 SA Lifetime : 86400 seconds
    Perfect Forward Secrecy : unchecked
    Phase2 Encryption : 3DES
    Phase2 Authentication : SHA1
    Phase2 SA Lifetime : 28800 seconds
    Preshared Key : *****

    Advanced :

    Aggressive mode : checked (*2 pls see below)
    Compress (Support IP payload Compression Protocol) : checked
    Keep Alive : unchecked
    AH Hash Algorithm : MD5 checked
    NetBIOS broadcast : unchecked
    NAT Transversal : unchecked
    DPD interval : 30 seconds checked
    ================================================== ======

    For the RV042 (1 of 10) VPN router, under the VPN tab (IPSec Setup) :
    Gateway to Gateway

    Tunnel No. : 1
    Tunnel Name : ***
    Interface : WAN 1
    Enable : checked

    Local Security Gateway Type : Dynamic IP + E-mail add (USER FQDN) Auth
    Email Address : ***@***.com
    Remote Security Group Type : IP
    IP : 192.168.1.XXX (*1 pls see below)

    Remote Security Gateway Type : IP Only
    IP Address : xxx.xxx.xxx.xxx
    Local Security Group Type : Subnet
    IP Address : xxx.xxx.xxx.xxx
    Subnet Mask : xxx.xxx.xxx.xxx

    Keying mode : IKE with preshared key
    Phase1 DH Group : Group 1
    Phase1 Encryption : 3DES
    Phase1 Authentication : SHA1
    Phase1 SA Lifetime : 86400 seconds
    Perfect Forward Secrecy : unchecked
    Phase2 Encryption : 3DES
    Phase2 Authentication : SHA1
    Phase2 SA Lifetime : 28800 seconds
    Preshared Key : *****

    Advanced :

    Aggressive mode : checked (*3 pls see below)
    Compress (Support IP payload Compression Protocol) : checked
    Keep Alive : checked
    AH Hash Algorithm : MD5 checked
    NetBIOS broadcast : unchecked
    NAT Transversal : unchecked
    DPD interval : 30 seconds checked

    ================================================== =======

    *1 = the private static IP address allocated to the VoIP PAP2T

    *2 = RV016 does not allow me to uncheck the aggressive mode unless I choose non-dynamic IP in the remote security gateway type. But the 10 RV042 tunnels are all using PPPoE, not static ADSL.

    *3 = RV042 does allow me to uncheck aggressive mode but then that would disconnect the tunnel.
    ==========================================================

    Hope I make some sense here !

    Regards


    Vince
     
  12. type_r

    type_r LI Guru Member

    How do I get rid of the aggressive mode using dynamic ADSL

    Hello

    The above config can now last me 24 hours, of which most of the 10 tunnels will drop like flies and I have to reboot the RV016.

    I have unchecked the Keep alive on RV016 and also increased the DPD to 30sec.

    Now I would like to get rid of the aggressive mode but the RV016 grayed it out, becos of me choosing the "Dynamic IP + Email addr".

    Can I choose IP + Email addr when I am using Dynamic public IP (dynamic ADSL) for the RV042?

    Or how do I get rid of the aggressive mode in this instance?

    Anyone care to share your config?
     

Share This Page