1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV200 Site to Site

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by goodwyne, Jul 22, 2007.

  1. goodwyne

    goodwyne LI Guru Member

    After some searching here I've not found an answer so here's my scenario.

    Two sites, both with Comcast cable internet and dynamic IP addresses. Both sites have WRV200 routers. I've got ddns set up for both routers. Both routers are configured identically except that that one is 192.168.1.1 and the other is 192.168.2.1 and they obviously have different ddns names.

    No tunnel is being established. My configuration is listed below.
    __________________________________

    Tunnel Entry: Tunnel A
    VPN Tunnel: Enabled
    Tunnel Name: XXX
    NAT-Traversal: Disabled

    Local Secure Group: Subnet
    IP 192.168.1.1 (192.168.2.1)
    Subnet 255.255.255.0

    Remote Secure Group Subnet
    IP 192.168.2.1 (192.168.1.1)
    Subnet 255.255.255.0

    Remote Secure Gateway FQDN
    XXX1.dnsalias.com (XXX2.dnsalias.com)

    Key Exchange Method: Auto (IKE)
    Operation Mode: Main
    ISAKMP Encryption Method: Auto
    ISAKMP Authentication Method: MD5
    ISAKMP DH Group: Group 14: 2048-bits
    ISAKMP Key Lifetime (s): 28800
    PFS: Enabled
    IPSec Encryption Method: Auto
    IPSec Authentication Method: MD5
    IPSec DH Group: same as ISAKMP
    IPSec Key Lifetime: 3600
    Pre-Shared Key: XXX111111

    Dead Peer Detection selected
    Detection Delay(s): 30
    Detection Timeout(s): 120
    DPD Action: Recover Connection

    Global NAT-Traversal: Enabled

    Values in parentheses are for the second WRV200 so you can see the difference in the setup between the two. I'm stuck here and don't see why this isn't working. Any ideas?
     
  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Your IP address / mask pairs are inconsistent. If you are trying to protect just IP address 192.168.2.1 to 192.168.1.1 in the VPN you should use 192.168.2.1 mask 255.255.255.255 and 192.168.1.1 mask 255.255.255.255

    If you want to protect the whole subnet in the VPN (sounds like this is more likely) the IP address / mask pairs should be 192.168.2.0 mask 255.255.255.0 and 192.168.1.0 mask 255.255.255.0.

    What you have should be OK since the mask is masking just the 1st 3 octets of the IP address anyway, but it's possible that your IP/mask pairs aren't properly handled in the underlying code so better safe than sorry.

    It would also be useful if you could post some information from your VPN logs if you continue to be unsuccessful.

    /Eric
     
  3. goodwyne

    goodwyne LI Guru Member

    Won't be back at either site until tomorrow morning but your observation is accurate. Not sure how I missed that. It is the entire newtork on each end that I want to have access to the vpn so I the final octet should be 0, not 1. I'll let you know in the morning whether that works or not.

    Another question though. With the dyndns alias I should be able to reach either router using the alias over the internet since I have remote administration turn on but I can't. Any idea why not?
     
  4. goodwyne

    goodwyne LI Guru Member

    I was able to get to remote administration in both routers. I was forgetting to use https. I've gone in and corrected both router's vpn configuration to make the last octet 0 instead of 1. Still no joy.

    Here's the log for one of the routers::

    000 [Sun 20:26:12] "TunnelA": deleting connection
    001 [Sun 20:26:12] "TunnelA" #7: deleting state (STATE_QUICK_I2)
    002 [Sun 20:26:12] "TunnelA" #3: deleting state (STATE_MAIN_R3)
    003 [Sun 20:26:12] "TunnelA" #5: deleting state (STATE_MAIN_I4)
    004 [Sun 20:26:18] added connection description "TunnelA"
    005 [Sun 20:26:19] "TunnelA" #11: initiating Main Mode
    006 [Sun 20:26:19] "TunnelA" #11: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
    007 [Sun 20:26:19] "TunnelA" #11: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    008 [Sun 20:26:19] "TunnelA" #11: received Vendor ID payload [Dead Peer Detection]
    009 [Sun 20:26:19] "TunnelA" #11: received Vendor ID payload [RFC 3947] method set to=109
    010 [Sun 20:26:19] "TunnelA" #11: enabling possible NAT-traversal with method 3
    011 [Sun 20:26:20] "TunnelA" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    012 [Sun 20:26:20] "TunnelA" #11: STATE_MAIN_I2: sent MI2, expecting MR2
    013 [Sun 20:26:22] "TunnelA" #11: I did not send a certificate because I do not have one.
    014 [Sun 20:26:23] "TunnelA" #11: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 540000 usec
    015 [Sun 20:26:23] "TunnelA" #11: NAT-Traversal: Result using 3: no NAT detected
    016 [Sun 20:26:23] "TunnelA" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    017 [Sun 20:26:23] "TunnelA" #11: STATE_MAIN_I3: sent MI3, expecting MR3
    018 [Sun 20:26:23] "TunnelA" #12: responding to Main Mode
    019 [Sun 20:26:23] "TunnelA" #12: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    020 [Sun 20:26:23] "TunnelA" #12: STATE_MAIN_R1: sent MR1, expecting MI2
    021 [Sun 20:26:23] "TunnelA" #11: Main mode peer ID is ID_IPV4_ADDR: '24.99.243.158'
    022 [Sun 20:26:23] "TunnelA" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    023 [Sun 20:26:23] "TunnelA" #11: [WRV200 Response:] ISAKMP SA established
    024 [Sun 20:26:23] "TunnelA" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp2048}
    025 [Sun 20:26:23] "TunnelA" #11: Dead Peer Detection (RFC 3706): enabled
    026 [Sun 20:26:23] "TunnelA" #13: [WRV200 Response:] IPSec SA (Quick Mode) Initiation
    027 [Sun 20:26:23] "TunnelA" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}
    028 [Sun 20:26:24] "TunnelA" #12: NAT-Traversal: Result using 3: no NAT detected
    029 [Sun 20:26:27] "TunnelA" #12: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 610000 usec
    030 [Sun 20:26:27] "TunnelA" #12: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    031 [Sun 20:26:27] "TunnelA" #12: STATE_MAIN_R2: sent MR2, expecting MI3
    032 [Sun 20:26:28] "TunnelA" #13: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 750000 usec
    033 [Sun 20:26:31] "TunnelA" #13: Dead Peer Detection (RFC 3706): enabled
    034 [Sun 20:26:31] "TunnelA" #13: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    035 [Sun 20:26:31] "TunnelA" #13: [WRV200 Response:] IPSec SA established
    036 [Sun 20:26:31] "TunnelA" #13: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8a269d7b <0x9130a83c xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
    037 [Sun 20:26:31] "TunnelA" #11: Informational Exchange message must be encrypted
    038 [Sun 20:26:32] "TunnelA" #11: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x8a269d77) not found (maybe expired)
    039 [Sun 20:26:32] "TunnelA" #11: received and ignored informational message
    040 [Sun 20:26:35] "TunnelA" #12: discarding duplicate packet; already STATE_MAIN_R2
    041 [Sun 20:26:37] "TunnelA" #11: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    042 [Sun 20:26:37] "TunnelA" #11: received and ignored informational message
    043 [Sun 20:26:55] "TunnelA" #12: discarding duplicate packet; already STATE_MAIN_R2
    044 [Sun 20:26:57] "TunnelA" #11: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    045 [Sun 20:26:57] "TunnelA" #11: received and ignored informational message
    046 [Sun 20:27:35] "TunnelA" #14: responding to Main Mode
    047 [Sun 20:27:35] "TunnelA" #14: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    048 [Sun 20:27:35] "TunnelA" #14: STATE_MAIN_R1: sent MR1, expecting MI2
    049 [Sun 20:27:35] "TunnelA" #11: received Delete SA payload: replace IPSEC State #13 in 10 seconds
    050 [Sun 20:27:35] "TunnelA" #11: received and ignored informational message
    051 [Sun 20:27:36] "TunnelA" #11: received Delete SA payload: deleting ISAKMP State #11
    052 [Sun 20:27:37] "TunnelA" #12: max number of retransmissions (2) reached STATE_MAIN_R2
    053 [Sun 20:27:42] "TunnelA" #15: responding to Main Mode
    054 [Sun 20:27:42] "TunnelA" #15: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    055 [Sun 20:27:42] "TunnelA" #15: STATE_MAIN_R1: sent MR1, expecting MI2
    056 [Sun 20:27:44] "TunnelA" #15: NAT-Traversal: Result using 3: no NAT detected
    057 [Sun 20:27:45] "TunnelA" #16: initiating Main Mode
    058 [Sun 20:27:45] "TunnelA" #16: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
    059 [Sun 20:27:45] "TunnelA" #16: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    060 [Sun 20:27:45] "TunnelA" #16: received Vendor ID payload [Dead Peer Detection]
    061 [Sun 20:27:45] "TunnelA" #16: received Vendor ID payload [RFC 3947] method set to=109
    062 [Sun 20:27:45] "TunnelA" #16: enabling possible NAT-traversal with method 3
    063 [Sun 20:27:47] "TunnelA" #15: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 850000 usec
    064 [Sun 20:27:47] "TunnelA" #15: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    065 [Sun 20:27:47] "TunnelA" #15: STATE_MAIN_R2: sent MR2, expecting MI3
    066 [Sun 20:27:47] "TunnelA" #16: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
    067 [Sun 20:27:48] "TunnelA" #16: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    068 [Sun 20:27:48] "TunnelA" #16: STATE_MAIN_I2: sent MI2, expecting MR2
    069 [Sun 20:27:51] "TunnelA" #16: I did not send a certificate because I do not have one.
    070 [Sun 20:27:51] "TunnelA" #16: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 670000 usec
    071 [Sun 20:27:51] "TunnelA" #16: NAT-Traversal: Result using 3: no NAT detected
    072 [Sun 20:27:51] "TunnelA" #16: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    073 [Sun 20:27:51] "TunnelA" #16: STATE_MAIN_I3: sent MI3, expecting MR3
    074 [Sun 20:27:51] "TunnelA" #16: Main mode peer ID is ID_IPV4_ADDR: '24.99.243.158'
    075 [Sun 20:27:51] "TunnelA" #16: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    076 [Sun 20:27:51] "TunnelA" #16: [WRV200 Response:] ISAKMP SA established
    077 [Sun 20:27:51] "TunnelA" #16: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp2048}
    078 [Sun 20:27:51] "TunnelA" #16: Dead Peer Detection (RFC 3706): enabled
    079 [Sun 20:27:51] "TunnelA" #17: [WRV200 Response:] IPSec SA (Quick Mode) Initiation
    080 [Sun 20:27:51] "TunnelA" #17: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#16}
    081 [Sun 20:27:54] "TunnelA" #15: discarding duplicate packet; already STATE_MAIN_R2
    082 [Sun 20:27:55] "TunnelA" #13: IPsec SA expired (LATEST!)
    083 [Sun 20:27:56] "TunnelA" #17: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 460000 usec
    084 [Sun 20:27:57] "TunnelA" #17: Dead Peer Detection (RFC 3706): enabled
    085 [Sun 20:27:57] "TunnelA" #17: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    086 [Sun 20:27:57] "TunnelA" #17: [WRV200 Response:] IPSec SA established
    087 [Sun 20:27:57] "TunnelA" #17: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8a269d7c <0x9130a83d xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

    This is the log for the other router:

    000 [Sun 20:27:35] "TunnelA" #11: max number of retransmissions (2) reached STATE_MAIN_I2
    001 [Sun 20:27:35] "TunnelA" #11: starting keying attempt 2 of at most 5
    002 [Sun 20:27:35] "TunnelA" #13: initiating Main Mode to replace #11
    003 [Sun 20:27:35] "TunnelA" #13: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    004 [Sun 20:27:35] "TunnelA" #13: received Vendor ID payload [Dead Peer Detection]
    005 [Sun 20:27:35] "TunnelA" #13: received Vendor ID payload [RFC 3947] method set to=109
    006 [Sun 20:27:35] "TunnelA" #13: enabling possible NAT-traversal with method 3
    007 [Sun 20:27:36] "TunnelA": deleting connection
    008 [Sun 20:27:36] "TunnelA" #12: deleting state (STATE_QUICK_R2)
    009 [Sun 20:27:36] "TunnelA" #13: deleting state (STATE_MAIN_I1)
    010 [Sun 20:27:36] "TunnelA" #10: deleting state (STATE_MAIN_R3)
    011 [Sun 20:27:37] packet from 67.191.150.191:500: Informational Exchange is for an unknown (expired?) SA
    012 [Sun 20:27:38] failed to find continuation associated with req 13
    013 [Sun 20:27:43] added connection description "TunnelA"
    014 [Sun 20:27:43] "TunnelA" #14: initiating Main Mode
    015 [Sun 20:27:43] "TunnelA" #14: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
    016 [Sun 20:27:43] "TunnelA" #14: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    017 [Sun 20:27:43] "TunnelA" #14: received Vendor ID payload [Dead Peer Detection]
    018 [Sun 20:27:43] "TunnelA" #14: received Vendor ID payload [RFC 3947] method set to=109
    019 [Sun 20:27:43] "TunnelA" #14: enabling possible NAT-traversal with method 3
    020 [Sun 20:27:45] "TunnelA" #14: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    021 [Sun 20:27:45] "TunnelA" #14: STATE_MAIN_I2: sent MI2, expecting MR2
    022 [Sun 20:27:46] packet from 67.191.150.191:500: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    023 [Sun 20:27:46] packet from 67.191.150.191:500: received Vendor ID payload [Dead Peer Detection]
    024 [Sun 20:27:46] packet from 67.191.150.191:500: received Vendor ID payload [RFC 3947] method set to=109
    025 [Sun 20:27:46] packet from 67.191.150.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
    026 [Sun 20:27:46] packet from 67.191.150.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
    027 [Sun 20:27:46] packet from 67.191.150.191:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    028 [Sun 20:27:46] "TunnelA" #15: responding to Main Mode
    029 [Sun 20:27:46] "TunnelA" #15: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    030 [Sun 20:27:46] "TunnelA" #15: STATE_MAIN_R1: sent MR1, expecting MI2
    031 [Sun 20:27:46] packet from 67.191.150.191:500: phase 1 message is part of an unknown exchange
    032 [Sun 20:27:47] packet from 67.191.150.191:500: DOI of ISAKMP Security Association Payload has an unknown value: 2763788023
    033 [Sun 20:27:47] packet from 67.191.150.191:500: malformed payload in packet
    034 [Sun 20:27:47] packet from 67.191.150.191:500: sending notification PAYLOAD_MALFORMED to 67.191.150.191:500
    035 [Sun 20:27:49] "TunnelA" #15: NAT-Traversal: Result using 3: no NAT detected
    036 [Sun 20:27:51] "TunnelA" #15: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 550000 usec
    037 [Sun 20:27:51] "TunnelA" #15: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    038 [Sun 20:27:51] "TunnelA" #15: STATE_MAIN_R2: sent MR2, expecting MI3
    039 [Sun 20:27:52] "TunnelA" #15: Main mode peer ID is ID_IPV4_ADDR: '67.191.150.191'
    040 [Sun 20:27:52] "TunnelA" #15: I did not send a certificate because I do not have one.
    041 [Sun 20:27:52] "TunnelA" #15: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
    042 [Sun 20:27:52] "TunnelA" #15: [WRV200 Response:] ISAKMP SA established
    043 [Sun 20:27:52] "TunnelA" #15: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp2048}
    044 [Sun 20:27:52] "TunnelA" #15: Dead Peer Detection (RFC 3706): enabled
    045 [Sun 20:27:56] "TunnelA" #16: responding to Quick Mode {msgid:bcec837c}
    046 [Sun 20:27:56] "TunnelA" #16: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took 570000 usec
    047 [Sun 20:27:56] "TunnelA" #16: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
    048 [Sun 20:27:56] "TunnelA" #16: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
    049 [Sun 20:27:56] "TunnelA" #15: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x9130a83c) not found (maybe expired)
    050 [Sun 20:27:56] "TunnelA" #15: received and ignored informational message
    051 [Sun 20:28:01] "TunnelA" #16: Dead Peer Detection (RFC 3706): enabled
    052 [Sun 20:28:01] "TunnelA" #16: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
    053 [Sun 20:28:01] "TunnelA" #16: [WRV200 Response:] IPSec SA established
    054 [Sun 20:28:01] "TunnelA" #16: STATE_QUICK_R2: IPsec SA established {ESP=>0x9130a83d <0x8a269d7c xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
    055 [Sun 20:28:01] packet from 67.191.150.191:500: DOI of ISAKMP Security Association Payload has an unknown value: 2763788023
    056 [Sun 20:28:01] packet from 67.191.150.191:500: malformed payload in packet
    057 [Sun 20:28:01] packet from 67.191.150.191:500: sending notification PAYLOAD_MALFORMED to 67.191.150.191:500
    058 [Sun 20:28:06] packet from 67.191.150.191:500: phase 1 message is part of an unknown exchange
    059 [Sun 20:28:18] packet from 67.191.150.191:500: DOI of ISAKMP Security Association Payload has an unknown value: 2763788023
    060 [Sun 20:28:18] packet from 67.191.150.191:500: malformed payload in packet
    061 [Sun 20:28:18] packet from 67.191.150.191:500: sending notification PAYLOAD_MALFORMED to 67.191.150.191:500
    062 [Sun 20:28:55] "TunnelA" #14: max number of retransmissions (2) reached STATE_MAIN_I2
    063 [Sun 20:28:55] "TunnelA" #14: starting keying attempt 2 of at most 5, but releasing whack
    064 [Sun 20:28:55] "TunnelA" #17: initiating Main Mode to replace #14
    065 [Sun 20:28:55] "TunnelA" #17: received Vendor ID payload [Openswan (this version) 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
    066 [Sun 20:28:55] "TunnelA" #17: received Vendor ID payload [Dead Peer Detection]
    067 [Sun 20:28:55] "TunnelA" #17: received Vendor ID payload [RFC 3947] method set to=109
    068 [Sun 20:28:55] "TunnelA" #17: enabling possible NAT-traversal with method 3
    069 [Sun 20:28:57] "TunnelA" #17: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    070 [Sun 20:28:57] "TunnelA" #17: STATE_MAIN_I2: sent MI2, expecting MR2
    071 [Sun 20:28:59] "TunnelA" #15: Informational Exchange message is invalid because it has a previously used Message ID (0xb15efa22)
     
  5. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Interesting. You are successfully negotiating IKE Phase I and Phase II. Then when data traffic is in the connection it fails with a "malformed payload". I think you should consider setting up the encryption manually (for at least Phase II)...maybe something like AES-128 and turn off PFS (perfect forwarding security).

    /Eric
     
  6. ifican

    ifican Network Guru Member

    For testing purposes try identifying the tunnels by ip and not FQDN, i know this is not how you want to run the tunnel but i believe it will work that way, once comfirmed we can dig into why.
     

Share This Page