BEFVP41 and SSH Sentinel

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by clicker666, Jun 25, 2006.

  1. clicker666

    clicker666 LI Guru Member

    BEFVP41 V2 Router Problem

    Router is directly connected to internet with a static IP. This router is connected to another BEFVP41 with the same settings as below, works fine. Password is a sample, not real.

    Router Side:
    IPSec Pass-Through: Enabled
    PPPoE Pass-Through: Enabled
    PPTP Pass-Through: Enabled

    Select Tunnel Entry: Tunnel2 (ROADWARRIOR1)
    VPN Tunnel: Enabled
    Tunnel Name: ROADWARRIOR1

    Local Secure Group: Subnet

    Remote Secure Group: Any

    Remote Security Gateway: Any

    Encryption: 3DES
    Authentication: MD5

    Key Management: Auto. (IKE)
    PFS: Enabled
    Pre-shared Key: test1234
    Key Lifetime: 3600 Sec.

    Advanced Tunnel 2

    Phase 1
    Operation Mode: Main
    Encryption: 3DES
    Authentication: MD5
    Group: 1024-bit
    Key Lifetime: 3600 seconds

    Phase 2
    Same as phase 1 but says PFS: ON

    No other settings checked

    Client Side:

    Client is on a dynamic address that rarely changes. Firewall is a D-Link DI-614+. Internal address is IPSEC and PPTP (including GRE) being forwarded to the internal address - even attempted using DMZ with no success.

    Remote Endpoint
    Security Gateway (Destination Router's WAN Address)
    Remote Network: Mask:
    Authentication Key: MyKey (with test1234 password)
    Proposal Template: legacy

    IKE Proposal:
    Encryption Algorithm: 3DES
    Integrity Function: MD5
    IKE mode: main mode
    IKE group: MODP 1024 (group 2)

    IPSec Proposal:
    Encryption Algorithm: 3DES
    Integrity Function: HMAC-MD5
    IPSec mode: tunnel
    PFS group: MODP 1024 (group 2)

    Attach only the selected values to the proposal (selected)

    Aquire Virtual IP address: DHCP over IPSec

    Advanced: Lifetimes all default, Discover path MTU

    When I attempt to connect to the router from my client, I get the following results:

    2006-06-25 14:30:47 UDP from 24.x.x.x:500 to 142.x.x.x:500
    2006-06-25 14:30:47 IKE[51] Rx << MM_I1 : 24.x.x.x SA, VID
    2006-06-25 14:30:47 IKE[51] Tx >> MM_R1 : 24.x.x.x SA
    2006-06-25 14:30:47 IKE[51] ISAKMP SA CKI=[71e2db33 e9000001] CKR=[e1b4ab8c 4847da50]
    2006-06-25 14:30:47 IKE[51] ISAKMP SA 3DES / MD5 / PreShared / MODP_1024 / 14400 sec (*14400 sec)
    2006-06-25 14:30:48 IKE[51] Rx << MM_I2 : 24.x.x.x KE, NONCE
    2006-06-25 14:30:48 IKE[51] Tx >> MM_R2 : 24.x.x.x KE, NONCE
    2006-06-25 14:30:49 IKE[51] **Check your ISAKMP Pre-share Key setting !
    2006-06-25 14:30:49 IKE[51] Tx >> Notify : INVALID-PAYLOAD-TYPE

    Any ideas?
  2. clicker666

    clicker666 LI Guru Member

    My example matches ones I've found on the net pretty close. I don't know if I'm blocking a port on my home LAN client side, or perhaps the D-Link DI-614+ is messing things up.

    What are people using for mobile clients? I'm sure you aren't all going out and spending money on clients LOL, and if you are, is there a sure-fire, guaranteed to work one. I'd certainly spend the company's money on something that actually worked without having to be a Cisco networking specialist.
  3. clicker666

    clicker666 LI Guru Member

    OK, I've done some more work on it....

    I've got a connection provided I supply an IP address. If I try to connect to the DHCP server (test on one lan using the BEFVP41 as DHCP) and on the other using Win2K3 Server DHCP.

    And, my inability to route - another thread, is an issue.

    I can ping the gateway at the far end of the tunnel, but nothing beyond.

    I can feel this is getting closer, but not quite there. It's going to be one stupid setting somewhere, I'm sure of it! :(
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice