?
Solved

Cisco Concentrator/ Corporate VPN

Posted on 2006-05-12
7
Medium Priority
?
4,213 Views
Last Modified: 2012-05-05
We have a Cisco 3080 concentrator at our corporate site and we would like to set it up to allow VPN connections from several of our remote sites but I am having some problems getting it working.  At the remote site, I have a Linksys WRV54G VPN broadband router and I want to use IPSEC to secure the traffic.  At headquarters, we have a CheckPoint firewall but the way I have the concentrator hooked up, it is bypassing it.  I have the public port plugged into my internet switch and the private port plugged into my local LAN.  When I configure each device to utilize IPSEC, all I see is the following message over and over in the concentrator’s logs:

127 05/12/2006 09:23:46.750 SEV=4 IKE/48 RPT=14 xxx.xxx.xxx.xxx
Error processing payload: Payload ID: 1

Reading through the documentation on the Linksys box, I get the impression that some special configuration is required on each of the PC's located at the remote sites, behind the Linksys box, but this doesn’t seem right to me.  I thought that the necessary tunnel was established in the Linksys router and then the PC's just find their way to the private LAN on their own.  Is this correct, or am I mistaken?  

If anyone can provide a little push in the right direction, I would appreciate it.

Thanks

-Chris
0
Comment
Question by:HarkinsIT
  • 3
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
jabiii earned 2000 total points
ID: 16667802
Nothing should have to be configured on the PC"s themselfs. the payload error is between the 2 VPN endpoints
Check your VPN configurations and make sure everything matches up identical.
Becarefull when dealing with different VPN vendors as they have certain things they do not always agree upon.
0
 

Author Comment

by:HarkinsIT
ID: 16682618
Thanks for the info.  This is starting to make me crazy.  I've checked, re-checked and checked again my config settings on both ends of this mess and still don't seem to  be having much luck.  Here's my current activity from the concentrator log when I initiate a connection from the Linksys box:

691 05/15/2006 10:08:01.180 SEV=4 IKE/119 RPT=40 (external ip of linksys router)
Group [(external ip of linksys router)]
PHASE 1 COMPLETED
 
692 05/15/2006 10:08:01.180 SEV=4 AUTH/22 RPT=40
User [(external ip of linksys router)] Group [(external ip of linksys router)] connected, Session Type: IPSec/LAN-to
-LAN
 
694 05/15/2006 10:08:01.180 SEV=4 AUTH/84 RPT=40
LAN-to-LAN tunnel to headend device (external ip of linksys router) connected
 
695 05/15/2006 10:08:01.280 SEV=5 IKE/35 RPT=39 (external ip of linksys router)
Group [(external ip of linksys router)]
Received remote IP Proxy Subnet data in ID Payload:
 Address (internal subnet behind linksys router), Mask 255.255.255.255, Protocol 0, Port 0
 
698 05/15/2006 10:08:01.280 SEV=5 IKE/34 RPT=39 (external ip of linksys router)
Group [(external ip of linksys router)]
Received local IP Proxy Subnet data in ID Payload:
 Address (internal subnet behind concentrator), Mask 255.255.255.255, Protocol 0, Port 0
 
701 05/15/2006 10:08:01.280 SEV=4 IKE/61 RPT=40 (external ip of linksys router)
Group [(external ip of linksys router)]
Tunnel rejected: Policy not found for Src:(internal subnet behind linksys router), Dst: (internal subnet behind concentrator)!
 
703 05/15/2006 10:08:01.280 SEV=4 IKEDBG/97 RPT=40 (external ip of linksys router)
Group [(external ip of linksys router)]
QM FSM error (P2 struct &0x562aa98, mess id 0x1b11c20)!
 
704 05/15/2006 10:08:01.290 SEV=4 AUTH/23 RPT=40 (external ip of linksys router)
User [(external ip of linksys router)] Group [(external ip of linksys router)] disconnected: duration: 0:00:00
 
705 05/15/2006 10:08:01.290 SEV=4 AUTH/85 RPT=40
LAN-to-LAN tunnel to headend device (external ip of linksys router) disconnected: duration: 0:00:0
0

I'm still not sure what exactly I have wrong, but I'm sure it's gotta be something.  I'm still messing with it.....

Thanks again
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16682652
Policy not found for ...

after you created your lan-to-lan ipsec, did you create your policy matching all?
0
 

Author Comment

by:HarkinsIT
ID: 16682812
I did see that message and was not 100% certain which policy it was referring to.  I first thought it was talking about the "Group Matching Policy" but it looks like that comes into play only when using certificates and since I’m using a pre-shared key, I didn't mess with any of that.  

Would you happen to know exactly which "policy" this message is referring to?

Thanks.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16683115
do you have all 3 of these configured? I'm betting one of these doesn't match up with what your doing.

1) configuration/tunneling protocols/ipsec/lan to lan
2) policy management/traffic management/SA's
3) policy management/traffic management/Rules
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question