Question

Cisco RV042 VPN to Cisco 1841 Router connection

Asked by: jwhiteuwc

Hello,
Trying to create a VPN connection between a Linksys/cisco RV042 VPN router and a Cisco 1841 Router.    I was hoping to actually just create a non-encrypted GRE tunnel tot eh RV042, but it looks like it has to accept a encrypted channel.  
My guesstion is how in the world would I go about setting this up?  I've created general GRE tunnels from Cisco to Cisco like below:
interface Tunnel5
 description Tunnel t1
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel destination <IP ADDRESS OF SITE B>


And on the other side (B)
interface Tunnel5
 description Tunnel 1
 ip address 192.168.100.18 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IP ADDRESS OF SITE A>

I I'm a little confused on what I should use for teh Local security group settings on teh RV042 (image attached)  
and what I should set on the Cisco 1841.

Thanks!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-04-04 at 14:05:53ID24295324
Topics

Network Routers

,

Virtual Private Networking (VPN)

Participating Experts
2
Points
0
Comments
19

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco VPN tunnel failover
    Does CISCO support detection of VPN tunnel failures for static tunnels? Can I have two static tunnels to the same network one supporting the other in case of failures? Thanks
  2. Cisco GRE tunnel with IPSec and Multicast
    Is it possible to build a GRE tunnel using IPSec AND pass multicast traffic through it? I have seen some literature on the Cisco website that suggests this cannot be done, but I'm not sure.
  3. Does CISCO 515E support GRE tunneling?
    Hello - Working to establish a GRE tunnel via a CISCO PIX 515E. Does the 515E support GRE tunneling? thanks...
  4. GRE tunnel
    What is GRE tunnel ? please explain
  5. Cisco VPN, tunnel count and remote side.
    I want to know 2 things about this. 1- How should we count VPN tunnels? We want to enable Site to Site VPN among a couple of Cisco 851 and we also want to enable some on the field workers to access LAN by using Cisco VPN client on their laptops. Does each client using Cis...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: thinkpads_userPosted on 2009-04-04 at 14:31:56ID: 24069115

On your RV042, for the remote end, you have defined the Remote Group type as subnet (fine), but the IP address and subnet mask does not look like a subnet from here. Is there some special subnetting at the remote end?

Down at the bottom (where we cannot see) click on advanced and make sure NAT traversal is allowed.

... Thinkpads_User

 

by: jwhiteuwcPosted on 2009-04-04 at 14:58:56ID: 24069211

Thanks for the suggestion on the NAT traversal.

The subnet defined in the Remote end is the 2nd IP defined in the GRE tunnel end of the cisco router.    The actual subnet of the site A is: 192.168.0.0 255.255.255.0  However, cisco likes to define the other subnet as illustrated in the above when creating a GRE Tunnel from Cisco To Cisco.  Does that make sesne?  of 192.168.100.x.  and a mask of 255.255.255.252 (3 ip's, one for site a, for site b, and broadcast, I think).  Sorry this is were I really gets fuzzy for me.

So on the RV042 in the remote group, should I specifiy the actual IP and subnet of Site A's internal network?

I'm trying to create the link via SDM on the cisco cause I'm not quite sure how to do it via IOS.  In SDM, I just choose VPN - SITE - To SITE VPN.  Follow the prompts.  
What do I specifiy on the Cisco?

 

by: jwhiteuwcPosted on 2009-04-04 at 15:43:05ID: 24069367

To be honest, I think I'm more confused on the Cisco End then I am on the Linksy RV042 end :-)  Sorry, just thought I would put that in there if it wasn't already noticeable.

 

by: thinkpads_userPosted on 2009-04-04 at 19:58:17ID: 24070004

I cannot help on the Cisco end - perhaps others can. If you need to define the precise IP for the Cisco on the RV042, then it probably wants to be defined as IP for the Remote Group Type and not as Subnet. Again that will depend on Cisco too.  ... Thinkpads_User

 

by: arnoldPosted on 2009-04-04 at 20:29:37ID: 24070059

You are setting up an IPSEC tunnel to the linksys not a GRE tunnel.
What are the IPs on the cisco side (LAN)  that you want to access from the linksys side (LAN) and vice versa.

You might want to consider using the EasyVPN on the cisco router and setup a site to site VPN matching your linksys options.

You should Select a phase 2 Enryption 3des as well rather than setting it to null.

The Remote LAN settings on the Linksys need to match the local LAN on the Cisco and vice versa.

On the cisco you will need to add an ACL for the remote lan to the nat (0) rule (treats the traffic as local without other ACL processing) unless you want to create ACLs to curtail what/ how the linksys can access.

I.e. define acls to curb some access.

 

by: jwhiteuwcPosted on 2009-04-05 at 07:22:19ID: 24071570

Thanks, I'll give that a shot.

SIte A's LAN IP's are: 192.168.0.x  Site B's IP's are: 192.168.1.x

By the looks of it on the RV042, is there away NOT to encrypt the traffic?  Meaning just creating a GRE tunnel?  

Thanks!

 

by: arnoldPosted on 2009-04-05 at 09:41:24ID: 24071993

I do not believe so.
GRE is encrypted as well.

The whole point is for the packets while flowing through the wide open media (internet) can not be reassembled and view outside the source and the destination routers.

GRE sets up a Virtual Routed network.  I.e. each side has a GRE tunnel IP and then adds routes for Each others LAN IPS with the respective GRE tunnel as the gateway.

 

by: jwhiteuwcPosted on 2009-04-05 at 13:36:11ID: 24072851

Here is my current 1841 Router Config:
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server
!
crypto pki trustpoint TP-self-signed-838689604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-838689604
 revocation-check none
 rsakeypair TP-self-signed-838689604
!
!
!
no spanning-tree vlan 1
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <IPSNIPPED> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <IPSNIPPED>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <IPSNIPPED> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   71.92.172.193 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
no cdp run
route-map no_tunnel permit 10
 match ip address 2
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C

!
scheduler allocate 4000 1000
end
--------------------------------------
Here it is after I create a SIte-to-site Vpn but it fails in testing saying:
The tunnel traffic destination must be routed through the crypto map interface. the following destination(S) are routed through non-crypto map interface 1) 192.168.0.1




aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name <IPAddressSniped>
ip name-server <IPAddressSniped>
ip name-server <IPAddressSniped>
!
!
crypto pki trustpoint TP-self-signed-838689604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-838689604
 revocation-check none
 rsakeypair TP-self-signed-838689604
!
!
!
no spanning-tree vlan 1

!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <SNIPPED> address <IPAddressSniped>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to<IPAddressSniped>
 set peer <IPAddressSniped>
 set transform-set ESP-3DES-SHA
 match address 100
 qos pre-classify
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <IPAddressSniped> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <IPAddressSniped>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <IPAddressSniped> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   70.91.178.192 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
snmp-server community cybertechs RO
snmp-server community cyb3rt3ch$ RW 60
no cdp run
route-map no_tunnel permit 10
 match ip address 2
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end

 

by: arnoldPosted on 2009-04-05 at 20:00:42ID: 24074135

You have match address 100 in the crypto map, but you have an error when you are defining the access list:
You have:
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
instead of
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

 

by: jwhiteuwcPosted on 2009-04-14 at 11:50:03ID: 24141263

Still not working.  very strange.

 

by: arnoldPosted on 2009-04-14 at 11:55:34ID: 24141309

While brief the description provides little to go on.  Check the logs on both sides to see whether additional information is provided for the issue.

run on the asa
show crypto ipsec sa
show crypto iskamp sa

Have you corrected the setting on the RV042 to use the 192.168.1.0 segment instead of the 192.168.100 segment you had originally?

Just to be clear you are setting up an IPSEC tunnel between the rv042 and asa

 

by: jwhiteuwcPosted on 2009-04-14 at 12:01:15ID: 24141354

Arnold Sorry about that answer.

Yes, I have corrected the IP mistake.

The tunnels is a going from the RV042 to a Cisco 1841 Router running IOS and not a ASA.

My guess is I need a GRE IP sec tunnel.  It's built, however it just doesn't make the connection.

 

by: arnoldPosted on 2009-04-14 at 12:11:27ID: 24141452

Rv042 does not support an inbound GRE. It will let a GRE packet pass if you have a PPTP session from behind it to the Cisco.
Sorry for not double checking which Cisco device you have.
The show crypto directives should work on the Router.
What information I am looking at is to see what the local and remote LAN is set on the established tunnel.  Going on the premise that the tunnel gets established, but no data flows through.

Looking at the logs on both side should provide some added information on what is going on.  I.e. passphrase mismatch.  You setup the Cisco with aggressive mode while the Rv042 is using normal mode for IPSEC negotiations or vice versa.  Or the negotiation fails during phase two negotiation where the LAN IPs on each side would have come into play.
i.e. if you still had the rv042 referencing the remote LAN as 192.168.100.20/30 while the local LAN on the Cisco router reflects 192.168.0.0/24.

Could you repost your current cisco config minus the preshared key, Public IPs.  This will assume that the preshared key you enered on both sides is identical.

Also please post a snippet of the log dealing with the VPN connection minus the public IPs at either end.

 

by: jwhiteuwcPosted on 2009-04-15 at 05:34:31ID: 24147206

Here is the new IOS config and snapshots of the RS042 router:
!This is the running config of the router: c21arg.dnsalias.com
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Century21ARG
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server

!
!

!
crypto pki certificate chain TP-self-signed-838689604
 certificate self-signed 01

!
no spanning-tree vlan 1
username <SNIP> privilege 15 secret 5
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key <SNIP> address <SNIP>
!
!
crypto ipsec transform-set c21sbdsl esp-des esp-md5-hmac
!
crypto map c21sbVPNmap 10 ipsec-isakmp
 description vpn tunnel to c21argDSL
 set peer <SNIP>
 set security-association lifetime seconds 86400
 set transform-set c21sbdsl
 match address 135
!
!
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIPE>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIP>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIP>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <SNIP> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map c21sbVPNmap
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <SNIP>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source route-map blocknat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <SNIP> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   <SNIP> 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 remark SDM_ACL Category=22
access-list 135 deny   ip 192.168.0.0 0.0.0.255 any
access-list 135 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 permit ip 192.168.0.0 0.0.0.255 any

no cdp run
route-map blocknat permit 10
 match ip address 135
!
route-map no_tunnel permit 10
 match ip address 2
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end


 

by: arnoldPosted on 2009-04-15 at 06:06:05ID: 24147483

First you should change your preshared key.

Second, you do not have a policy on the ASA tha matches the policy settings on the RV042.
crypto map 10
you are not specifying the encryption to be des.

What is the error log show? Does it show that there is no matching policy for the VPN?

Access-list 100 you have both deny and permit for the same local segment.

Log files from both sides?

 

by: jwhiteuwcPosted on 2009-04-15 at 09:17:09ID: 24149781

Here is the log from the RV042:
Apr 15 08:13:40 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:13:40 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:13:40 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:13:40 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:13:40 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:13:50 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:13:50 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:13:50 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:13:50 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:13:50 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:13:54 2009     VPN Log    Initiating Main Mode  
Apr 15 08:13:54 2009     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
Apr 15 08:13:54 2009     VPN Log    Received informational payload, type NO_PROPOSAL_CHOSEN  
Apr 15 08:14:00 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:14:00 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:14:00 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:14:00 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:14:00 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:14:10 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:14:10 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:14:10 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:14:10 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:14:10 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  

 

by: jwhiteuwcPosted on 2009-04-15 at 09:20:17ID: 24149817

SOrry, how would I get the log for the Cisco that you are looking for?
Thanks!

 

by: jwhiteuwcPosted on 2009-04-17 at 12:05:34ID: 24170957

Here is the new commands on the cisco:  Would this be correct?

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 3600
crypto isakmp key <KEY>address <IP> no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30


crypto ipsec transform-set c21sbdsl esp-3des esp-md5-hmac
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 135 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source route-map nonat interface Ethernet1/0 overload


!disables nat translation
route-map nonat permit 10
 match ip address 135


crypto map c21sbVPNmap 2 ipsec-isakmp
 description vpn tunnel to c21argDSL
 set peer <IIP>
 set transform-set c21sbdsl
 match address 120

interface Tunnel6
 description tunelIPSEC to SB
 no ip address
 tunnel source Fastethernet0/1
 tunnel destination <IP TO SITE B>
 tunnel path-mtu-discovery
 crypto map c21sbVPNmap

 

by: jwhiteuwcPosted on 2009-04-18 at 12:21:19ID: 24176433

I ended up figuring out the solution.  The isakmp statement needed the no-xauth and also the Lifetime statemened needed to be to changed to match the linksys 86400

Thanks though to all that helped.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...