1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

We require peer to have ID X.X.X.X but peer declares 10.1.1.2

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by neves, Mar 13, 2008.

  1. neves

    neves LI Guru Member

    I'm trying to make a VPN between 2 linksys RS042 routers. I successfully connected them in my site using 2 different ISP providers. When we sent one of the routers to another site, the connection failed.

    In this remote site, the Linksys is behind a cisco router. The cisco is configured to send all requests directed to an external IP to the Linksys and is the Linksys gateway. The remote site wan port is configured with IP 10.1.1.2, but the local linksys vpn remote gateway is configured with a valid Internet address.

    Everything looks fine in the logs, except for this message in the local log:

    "We require peer to have ID X.X.X.X but peer declares 10.1.1.2"

    If you ask, I can post my log files here.

    Both routers are correctly connected the Internet and we can ping each other. Both have Firmware version 1.3.9

    Do you have any suggestion about how to make the two machines connect?

    kind regards,
    Paulo Eduardo Neves
     
  2. neves

    neves LI Guru Member

    I did an ugly hack to solve the problem. I said that the remote site have a dynamic IP address. The router didn't try to match the machine IP and everything worked.

    If a machine is specified as ddns, just it can start the connection. Now I have a new problem, my local machine really have a dynamic dns. If both connections have a dynamic IP, I can't start the connection. It looks like I still have to solve my original problem. At least now I know that the connection is possible and the problem is really the mismatching of IP addresses.

    BTW, how do make the VPN to reconnect automatically after a network failure?

    regards,
     
  3. vpnuser

    vpnuser LI Guru Member

    sounds like a mismatch between local security gateway type on router A and the remote security gateway type on router B.
     
  4. HughR

    HughR LI Guru Member

    Sounds like the RS042 use Openswan IPSEC code. I did not know that.

    The message says that the policy loaded into Pluto, the keying daemon, does not match what it is seeing.

    Does it really say X.X.X.X? Or is it a dotted quad IP address? It could also be in the form of a domain name.

    10.1.1.2 is a really suspicious IP address. It isn't normally routable. The ID need not be routable, but if it is inferred from the packet's source address, then it ought to be routable.

    Although I wrote the code that is generating the message, I have no idea how the Linksys GUI expresses these policies.
     
  5. neves

    neves LI Guru Member

    No, it isn't really X.X.X.X, but our external IP address.


    The 10.1.1.2 is the IP configured in the router, but it is in our internal network. This port is connected to another router, a cisco. This Cisco redirects all trafic destinated to the X.X.X.X external ip to to the 10.1.1.2 internal IP. We need this cisco to connect to our provider network.

    Everthing makes sense. The VPN doesn't complete because it expect packets addressed from X.X.X.X, but they are addressed from 10.1.1.2.

    I'd like to be able to turn of this IP address verification. Is it possible? May I configure the RS042 behind another router?
     
  6. blake_

    blake_ LI Guru Member

    Isn't this what NAT Traversal is for?

    I don't think NAT-T is a feature of this router as it is with other RV series routers.
     
  7. neves

    neves LI Guru Member

    I'll google for NAT-T. Which Linksys products similar to the RS042 have this feature?
     
  8. blake_

    blake_ LI Guru Member

    I know that the RV082 does, maybe RV042.

    It was only added with a recent firmware release, though.
     
  9. Sfor

    Sfor Network Guru Member

    WRV200 does support NAT traversal. It seems to be working, but the implementation looks a bit strange.
     
  10. geerol

    geerol Guest

    WRV200 auto discovers one or both sides are behind NAT routers and moves to NAT-T (use UDP 4500 in stead of ESP), however when nicely talking and shaking hands with the peer WRV200 it also gets me into
    We require peer to have ID [external IP] but peer declares [Internal IP]
    Same play! Help!
     

Share This Page