1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 doesn't allow any IKE tunnels....

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by kristiandg, Dec 28, 2007.

  1. kristiandg

    kristiandg LI Guru Member

    Good afternoon all.. I've got an RV042, that I had the 1.3.10 (then downgraded to 1.3.9) firmware and I'm having a hell of a time actually getting the thing to do what it was designed to do.

    I've got it set up to allow a connection with very simple encryption techniques (DES/MD5/DH1) Those, of course, match the settings on the client. I know this because when they don't match I get the "No Wildecard connection" warrning..... When they do match, I get the following:
    ==================
    Dec 28 13:31:47 2007 VPN Log Ignoring Vendor ID payload [4a131c8107035845...]
    Dec 28 13:31:47 2007 VPN Log Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Dec 28 13:31:47 2007 VPN Log Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02]
    Dec 28 13:31:47 2007 VPN Log Ignoring Vendor ID payload [4485152d18b6bbcc...]
    Dec 28 13:31:47 2007 VPN Log Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-00]
    Dec 28 13:31:47 2007 VPN Log Ignoring Vendor ID payload Type = [XAUTH]
    Dec 28 13:31:47 2007 VPN Log [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
    Dec 28 13:31:47 2007 VPN Log Aggressive mode peer ID is ID_FQDN: '@avaya.com'
    Dec 28 13:31:47 2007 VPN Log Responding to Aggressive Mode from 74.215.93.221
    Dec 28 13:31:47 2007 VPN Log No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting
    ===========================
    Notice the last line "No acceptable Oakley Transform, No Proposal chosen. check SA or preshared key". Of course they match. The clients get "IKE Phase1 No Response". Both the 1.3.10 and 1.3.9 firmwares are doing this.

    Thoughts? Anyone? I'm about ready to return these two things (I'm just working with one right now, its not a point-to-point tunnel) and swear off linksys forever... :mad::mad::mad:

    Thx.

    Kris G.
     
  2. cfinic

    cfinic LI Guru Member

    This may be a stupid question, client to gateway or gateway to gateway. If client to gateway what program/OS are you using?

    What's the network look like? Is the router connected directly to the WAN or is it through a router?
     
  3. kristiandg

    kristiandg LI Guru Member

    Oops, that would help wouldn't it... :) RV042 connected directly to a CableModem and acts as its own firewall (its not behind anything else). The connecting device is an Avaya VPN IP phone. There's a config on how to set it up for the Netgear stuff, and for the most part, its darn straightforward and easy. But, I also tried using Mac OSX Leopard (using VPN Tracker) and it had the exact same result...

    VPN Tunnel Config:

    Client to Gateway:
    -----------------
    Tunnel: 1
    Name: avaya
    Interface: WAN1
    Enable: YES
    ----
    Local SG: IP Only (External IP)
    Local SG Type: Subnet
    IP: 192.168.1.0
    Mask: 255.255.255.0
    ----
    Remote Client: Dynamic IP + FQDN Auth
    Domain Name: avaya.com
    ----
    Keying Mode: IKE w/ Preshared Key
    Phase 1 DH Group: 1
    Phase 1 Encryption: DES
    Phase 1 Auth: MD5
    Phase 1 SA Lifetime: 28800
    PFS: YES
    Phase 2 DH Group: 1
    Phase 2 Encryption: DES
    Phase 2 Auth: MD5
    Phase 2 SA Lifetime: 3600
    Preshared Key: avaya
    ----
    ADVANCED SETTINGS:
    Aggressive: Yes
    Keep Alive: Yes
    AH Hash: MD5
    DPD: Yes (10 sec).
    ----
     
  4. Toxic

    Toxic Administrator Staff Member

    where is the netgear guide? the only one I can find is setting up TWO netgear routers (2 end points of the VPN) so what exactly are you trying to connect to the RV042 using a VPN connection? does your IP phone handle IPSec VPN itself?
     
  5. kristiandg

    kristiandg LI Guru Member

    here it is. The phone has its own VPN client built in. Plus, don't forget, I had the exact same issue w/ the VPN Tracker software (which is a universal VPN Client).

    NetGear instructions:
    http://support.avaya.com/elmodocs2/ip_office/tech/Global_IP_Office_Technical_Tip_184.pdf

    VPN Tracker Sofware:
    http://equinux.com/us/products/vpntracker/index.html

    I had a brain-fart. The manual they had on NetGear's website was how to set up Avaya VPN phones for QOS on their POE switch products. This manual is made by Avaya.... They tested in their labs...
     
  6. Toxic

    Toxic Administrator Staff Member

    I noticed your domain name is set to on the RV042 to "avaya.com" is this correct? the linksys rv will be looking at avaya.com and not you own domain (if you have one) to connect to are you sure this is correct? where is YOUR Phones WAN IP or Domain?

    I would try using 3DES/SHA1 and set both lifetimes at 28800 if possible as well to allow both router and VPN Phone to try and use the exact same settings to remove any mistakes.
     
  7. kristiandg

    kristiandg LI Guru Member

    I thought the FQDN was just used for matching authentication. I say this because the defaults from Netgear are "FVS_Remote.com". Clearly not a valid name. What exactly would it be looking for at that domain. I haven't supplied any host at that domain (like vpn.avaya.com). The phone knows the IP of the device, and the device knows the IP of the phone so I don't understand why it would ever look to that domain name and what it would be doing that for. I was told they just had to match on each device.
     
  8. Toxic

    Toxic Administrator Staff Member

    the domain name is the public domain name of you WAN address. if you dont have one I would recommend singing up to dyndns.org for a free account, setup each WAN to have its own DDNS name then use the DDNS name as the domain name.

    basically you are telling each VPN tunnel to look at "domain name" where the other end of the tunnel resides. if you have static IP addresses then use the WAN IP address instead.
     
  9. kristiandg

    kristiandg LI Guru Member

    Well, domain is now set up to match. If you ping it, you get the public IP of the RV042. However, still no affect. Its mail.xxxxxxxxx.com (of course its really not "xxxxxxx"). Same errors...

    HELP!!!!!! :)

    __________Phone set for__________
    server: mail.xxxxxxxxxx.com
    IKE ID: mail.xxxxxxxxxx.com
    PSK: avaya

    IKE Parameters:
    IKE ID Type: FQDN
    DH Group: 2
    Encryption Alg: 3DES
    Auth Alg: MD5
    IKE XchgMode: Agressive
    IKE Config Mode: Disable
    XAUTH: Enable

    IPSec Parameters:
    Encryption Alg: 3DES
    DH Group: 2
    Auth Alg: MD5

    __________RV042__________
    Local Security Gateway Type IP Only
    IP address (the device's WAN 1 IP)
    Local Security Group: Subnet
    IP address 192.168.1.1
    Subnet Mask 255.255.255.0

    Remote Client Setup Dynamic IP + Domain Name(FQDN)
    Domain Name mail.xxxxxxxx.com

    IPSec Setup Keying Mode Preshared key
    Phase1 DH Group: Group2
    Phase1 Encryption: 3DES
    Phase1 Authentication MD5
    Phase1 SA Life Time seconds: 3600
    Perfect Forward Secrecy: YES
    Phase2 DH Group: Group2
    Phase2 Encryption: 3DES
    Phase2 Authentication: MD5
    Preshared Key: avaya

    __________VPN Log on RV042__________
    Jan 10 17:06:26 2008 VPN Log Ignoring Vendor ID payload [4a131c8107035845...]
    Jan 10 17:06:26 2008 VPN Log Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Jan 10 17:06:26 2008 VPN Log Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02]
    Jan 10 17:06:26 2008 VPN Log Ignoring Vendor ID payload [4485152d18b6bbcc...]
    Jan 10 17:06:26 2008 VPN Log Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-00]
    Jan 10 17:06:26 2008 VPN Log Ignoring Vendor ID payload Type = [XAUTH]
    Jan 10 17:06:26 2008 VPN Log [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
    Jan 10 17:06:26 2008 VPN Log Aggressive mode peer ID is ID_FQDN: '@mail.xxxxxxxxxx.com'
    Jan 10 17:06:26 2008 VPN Log Responding to Aggressive Mode from 74.215.93.221
    Jan 10 17:06:26 2008 VPN Log No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting
     
  10. kristiandg

    kristiandg LI Guru Member

    Here's an added bit of useless info....
    ---------------
    Jan 11 01:22:05 2008 Connection Refused - Policy violation UDP 74.215.93.221:50021->(I'm hiding this IP):500 on ixp1
    ---------------

    Of course, according to the above firewall log entry, all my test inbound connections (IPSec on port 500) are being declined. And what "policy" is being "violated". That is the most useless log entry I've ever seen......

    HELP!!!!!!
     
  11. ItalianNJ

    ItalianNJ Guest

    Did you get this to work?

    Hey man.. I am trying the same thing with Avaya VPNRemote and an RV042 - did you ever get this working? I am having the same issue!

    And now I am getting the connection refused messages like you are getting too
     

Share This Page