1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rv042 ipsec vpn with ios

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by mc23646266, Feb 20, 2011.

  1. mc23646266

    mc23646266 Networkin' Nut Member

    Hello,

    got my rv042 recently and wanted to configure a ipsec vpn tunnel for my iphone and ipad. Despite it did not work to setup a working connection with ipsec, a pptp connection does work.

    But I want to use a ipsec with the rv042! (i have a ipsec running between ios and fritzbox, so i can cheat there, whats maybe working)

    my setup: 1 static ip, sdsl on wan1
    added a group vpn with USER FQDN
    Group1, 3DES, SHA1, 28800
    no-PFS
    Group2, DES, NULL, 3600
    Advcfg: aggressive, compress, keep-alive, ah-sha1, nat-t​

    VPN log: > Aggressive mode peer ID is ID_KEY_ID:
    '0x62345640626F6C7A2D7761636123456782E6465'
    No suitable connection for peer
    > '0x62345640626F6C7A2D7761636123456782E6465',
    Please check Phase 1 ID value
    > initial Aggressive Mode packet claiming to be from
    my@USER FQDN.de on 87.177.16.37 but no connection has been
    authorized,please check peer ID​

    So the ios device connects to the rv042, which does not authorize it.
    There seems to be NO possibility to set this up with the web-gui.

    I made the telnet available on the rv042 -> http://www.linksysinfo.org/forums/showthread.php?t=47539

    Then I tried:
    Code:
    RV042> help
    RV042> rg_conf_print /
    RV042> rg_conf_print /dev/ips1/ipsec/auto/
    
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase1/dh_group/grp1 myusername
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase2/dh_group/grp1 myusername
    But still get the same VPN log results.

    Does anybody know how to configure the missing link between the vpn-group and the user-accounts/peer ID's?

    greetz

    =:)f

    try this for example:

    Code:
    rg_conf_print /dev/ips1/
    
    and tell me, where to configure the 'peer ID' pls
     
  2. mc23646266

    mc23646266 Networkin' Nut Member

    rg_conf_..

    tried some more commands in the terminal:
    Code:
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase2/dh_group/grp1 myusername
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase1/dh_group/grp1 myusername
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase1/dh_group/grp1 0    
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase2/dh_group/grp1 0
    RV042> rg_conf_set /nk/rw/user/0/dev_name isp1
    RV042> rg_conf_set /nk/rw/user/0/peer_id myusername
    RV042> rg_conf_set /nk/rw/user/0/peer_id 0x65647640626F6C7A2D7761636874656C2E6465
    RV042> rg_conf_set /nk/rw/user/0/peer 0x65647640626F6C7A2D7761636874656C2E6465   
    RV042> rg_conf_set /nk/sshd_enabled 1   
    RV042> rg_conf_set /nk/ssh/enabled 1 
    RV042> rg_conf_set /dev/ips1/auto/phase1/auth/peer_id 0x65647640626F6C7A2D7761636874656C2E6465  
    RV042> rg_conf_set /dev/ips1/ipsec/auto/phase1/auth/peer_id 0x65647640626F6C7A2D7761636874656C2E6465
    RV042> rg_conf_set /admin/user/1/permissions/vpns 1  
    RV042> rg_conf_set /wbm/theme openrg2
    
    then the web-gui/vpn crashed constantly, so I reversed the changes with
    propriate rg_conf_del commands.

    the web-gui/vpn works again
     
  3. mc23646266

    mc23646266 Networkin' Nut Member

    rv042 shell

    the following command shows differences between the working fritzbox
    connection (ips0) vs. the group vpn config (ips2)

    Code:
    / # whack --status
    000 "ips0"[4]: 192.168.200.0/24===xxx.yyy.zzz.rrr[@host1.dyndns.org]---xxx.yyy.zzz.ggg...93.210.192.190[@host2.dyndns.org]===192.168.1.0/24
    000 "ips0"[4]:   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 20s; rekey_fuzz: 50%; keyingtries: 0
    000 "ips0"[4]:   policy: PSK+COMPRESS+TUNNEL+PFS+AGGRESSIVE; interface: ixp1; erouted
    000 "ips0"[4]:   newest ISAKMP SA: #7; newest IPsec SA: #8; eroute owner: #8
    000 "ips2": 192.168.200.0/24===xxx.yyy.zzz.rrr---xxx.yyy.zzz.ggg...%opportunistic[userFQDN]
    000 "ips2":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 20s; rekey_fuzz: 50%; keyingtries: 0
    000 "ips2":   policy: PSK+COMPRESS+TUNNEL+AGGRESSIVE; interface: ixp1; unrouted
    000 "ips2":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
    000 "ips0": 192.168.200.0/24===xxx.yyy.zzz.rrr[@host1.dyndns.org]---xxx.yyy.zzz.ggg...%any[@host2.dyndns.org]===192.168.1.0/24
    000 "ips0":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 20s; rekey_fuzz: 50%; keyingtries: 0
    000 "ips0":   policy: PSK+COMPRESS+TUNNEL+PFS+AGGRESSIVE; interface: ixp1; unrouted
    000 "ips0":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
    000  
    000 #8: "ips0"[4] 93.210.192.190 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3601s; newest IPSEC; eroute owner
    000 #8: "ips0"[4] 93.210.192.190 esp.3e48614c@93.210.192.190 esp.403842c8@xxx.yyy.zzz.rrr tun.1008@93.210.192.190 tun.1007@xxx.yyy.zzz.rrr
    000 #7: "ips0"[4] 93.210.192.190 STATE_AGGR_R2 (ISAKMP SA established); EVENT_SA_EXPIRE in 3600s; newest ISAKMP
    000  
    
    within ips2 I am wondering about '%opportunistic[userFQDN]'http://www.linksysinfo.org/forums/images/smilies/confused.gif
    above ip's, names ... edited for privacy http://www.linksysinfo.org/forums/images/smilies/smile.gif

    think the following commands might be helpful:
    Code:
    Usage: pluto [--help] [--version] [--optionsfrom <filename>] \
    	[--nofork] [--stderrlog] [--noklips] [--nocrsend] [--strictcrlpolicy] [--uniqueids] \
    	[--interface <ifname>] [--ikeport <port-number>] \
    	[--ctlbase <path>] \
    	[--secretsfile <secrets-file>] \
    	[--adns <pathname>] \
    	[--debug-none] [--debug-all] \
    	[--debug-raw] [--debug-crypt] [--debug-parsing] [--debug-emitting] \
    	[--debug-control] [--debug-klips] [--debug-dns] [ --debug-private] [ --debug-nat_t] \
    	[--nat_traversal] [--keep_alive <delay_sec>] \
    	[--force_keepalive] [--disable_port_floating]
    FreeS/WAN 1.99
    
    Code:
    / # whack --help
    Usage:
    
    all forms: [--optionsfrom <filename>] [--ctlbase <path>] [--label <string>]
    
    help: whack [--help] [--version]
    
    connection: whack --name <connection_name> \
        [--ipv4 | --ipv6 ] [--tunnelipv4 | --tunnelipv6 ] \
        (--host <ip-address> | --id <identity> | --cert <path>) [--ikeport <port-number>] \
        [--nexthop <ip-address>] [--client <subnet> | --clientwithin <address range>] \
        [--clientprotoport <protocol>/<port>] [--dnskeyondemand] \
        [--updown <updown>] \
        --to (--host <ip-address> | --id <identity> | --cert <path>) [--ikeport <port-number>] \
        [--nexthop <ip-address>] [--client <subnet> | --clientwithin <address range>] \
        [--clientprotoport <protocol>/<port>] [--dnskeyondemand] \
        [--updown <updown>] \
        [--psk] [--rsasig] \
        [--encrypt] [--authenticate] [--compress] [--tunnel] [--pfs] \
        [--ikelifetime <seconds>] [--ipseclifetime <seconds>] [--ikekeylength <bites>] [--ipseckeylength <bites>] \
        [--reykeymargin <seconds>] [--reykeyfuzz <percentage>] \
        [--keyingtries <count>] [--dpddelay <seconds> --dpdtimeout <seconds>] \
        [--dpdaction (clear|hold)] [--dontrekey] [--aggrmode] [--anti_replay on | off]
    
    routing: whack (--route | --unroute) --name <connection_name>
    
    initiation: whack (--initiate | --terminate) --name <connection_name> [--asynchronous]
    
    opportunistic initiation:
     whack [--ipv4 | --ipv6 ] [--tunnelipv4 | --tunnelipv6 ] \
        --oppohere <ip-address> --oppothere <ip-address>
    
    delete: whack --delete --name <connection_name>
    
    deletestate: whack --deletestate <state_object_number>
    
    deleteinstance: whack --deleteinstance <instance_number>
    
    pubkey: whack --keyid <id> [--addkey] [--pubkeyrsa <key>]
    
    debug: whack [--name <connection_name>] \
        [--debug-none] [--debug-all] \
        [--debug-raw] [--debug-crypt] [--debug-parsing] [--debug-emitting] \
        [--debug-control] [--debug-klips] [--debug-dns] [--debug-private]
    
    listen: whack (--listen | --unlisten)
    
    list: whack [--utc] [--listpubkeys] [--listcerts] [--listcacerts] [--listcrls] [--listall]
    
    reread: whack [--rereadsecrets] [--rereadmycert] [--rereadcacerts] [--rereadcrls] [--rereadall]
    
    status: whack --status
    
    shutdown: whack --shutdown
    
    FreeS/WAN 1.99
     
  4. mc23646266

    mc23646266 Networkin' Nut Member

    rg_conf_print /dev/ips0 ...

    compared the ips0 and ips2 settings, and found difference in 'r_Any' and 'r_idType'

    Code:
    RV042> rg_conf_print /dev/ips0/ipsec/remote
    (remote
      (r_idType(2))
      (fqdn(@host2.dyndns.org))
      (r_Any(2))
      (addr(0.0.0.0))
      (ip_type(2))
      (network(192.168.1.0))
      (netmask(255.255.255.0))
      (r_gwDNS(0))
    )
    Returned 0
    RV042> rg_conf_print /dev/ips2/ipsec/remote
    (remote
      (addr(0.0.0.0))
      (r_idType(3))
      (user_fqdn(userFQDN))
      (network(0.0.0.0))
      (netmask(255.255.255.255))
    )
    Returned 0
    Cannot find any information about those config entries from http://www.jungo.com/openrg/pr_openrg.html there is a pdf named 'openrg_configuration_guide.pdf' somewhere.
     

Share This Page