• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5167
  • Last Modified:

Linksys RV082 to Cisco PIX 6.3 VPN connection help.

Trying to get vpn up between CISCO PIX 6.3 and Linksys RV082... Haven't played too much, but have made a few (unsuccessful attempts).

I fill in the info, and hit connect... the status remains at (waiting for connection), but never connects.

Here is the latest from the VPN log on the Linksys (where I'm working from, have no access to the Cisco router).

Jul 26 01:41:12 2007           VPN Log          Initiating Main Mode
Jul 26 01:41:12 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:41:12 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jul 26 01:41:12 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jul 26 01:41:12 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 01:41:12 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 01:41:12 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 01:41:12 2007          VPN Log         Ignoring Vendor ID payload [d8f8667e91dcec3b...]
Jul 26 01:41:12 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jul 26 01:41:12 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jul 26 01:41:43 2007          VPN Log         Initiating Main Mode
Jul 26 01:41:43 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:41:54 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jul 26 01:41:54 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jul 26 01:41:54 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 01:41:54 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 01:41:54 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 01:41:54 2007          VPN Log         Ignoring Vendor ID payload [d8f8667e29a51e81...]
Jul 26 01:41:54 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jul 26 01:41:54 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jul 26 01:41:58 2007          VPN Log         Phase 1 message is part of an unknown exchange
Jul 26 01:43:04 2007          VPN Log         Initiating Main Mode to replace #43
Jul 26 01:43:04 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:43:05 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jul 26 01:43:05 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jul 26 01:43:06 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 01:43:06 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 01:43:06 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 01:43:06 2007          VPN Log         Ignoring Vendor ID payload [d8f8667ea2e6027b...]
Jul 26 01:43:06 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jul 26 01:43:06 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jul 26 01:44:16 2007          VPN Log         Initiating Main Mode to replace #44
Jul 26 01:44:16 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:44:16 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jul 26 01:44:16 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jul 26 01:44:17 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 01:44:17 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 01:44:17 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 01:44:17 2007          VPN Log         Ignoring Vendor ID payload [d8f8667e5426d60f...]
Jul 26 01:44:17 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jul 26 01:44:17 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jul 26 01:47:16 2007          VPN Log         Initiating Main Mode
Jul 26 01:47:16 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:47:16 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:47:34 2007          VPN Log         Initiating Main Mode
Jul 26 01:47:34 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:47:34 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:48:43 2007          VPN Log         Initiating Main Mode to replace #47
Jul 26 01:48:43 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:48:43 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:49:53 2007          VPN Log         Initiating Main Mode to replace #48
Jul 26 01:49:53 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:49:53 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:55:08 2007          VPN Log         Initiating Main Mode
Jul 26 01:55:08 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:55:08 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:55:14 2007          VPN Log         Initiating Main Mode
Jul 26 01:55:14 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:55:14 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:56:24 2007          VPN Log         Initiating Main Mode to replace #51
Jul 26 01:56:24 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:56:24 2007          VPN Log         Received informational payload, type NO_PROPOSAL_CHOSEN
Jul 26 01:56:50 2007          VPN Log         Initiating Main Mode
Jul 26 01:56:50 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:56:50 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jul 26 01:56:50 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jul 26 01:56:51 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 01:56:51 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 01:56:51 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 01:56:51 2007          VPN Log         Ignoring Vendor ID payload [d8f8667e1bed7fb9...]
Jul 26 01:56:51 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jul 26 01:56:51 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Jul 26 01:58:01 2007          VPN Log         Initiating Main Mode to replace #53
Jul 26 01:58:01 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Jul 26 01:58:01 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Jul 26 01:58:01 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Jul 26 01:58:02 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 01:58:02 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 01:58:02 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 01:58:02 2007          VPN Log         Ignoring Vendor ID payload [d8f8667efc0563e3...]
Jul 26 01:58:02 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Jul 26 01:58:02 2007          VPN Log         [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet

Tried turning off Perfect Forward Security amd Dead Peer connection... same log msgs.

Tried turning on Aggressive mode:

Jul 26 02:02:49 2007           VPN Log          Received Hash Payload does not match computed value
Jul 26 02:03:04 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 02:03:04 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 02:03:04 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 02:03:04 2007          VPN Log         Ignoring Vendor ID payload [d8f8667e55ee4654...]
Jul 26 02:03:04 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Aggressive Mode 2nd packet
Jul 26 02:03:04 2007          VPN Log         Aggressive mode peer ID is ID_IPV4_ADDR: 'xx.xxx.xxx.xxx'
Jul 26 02:03:04 2007          VPN Log         Received Hash Payload does not match computed value
Jul 26 02:03:19 2007          VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
Jul 26 02:03:19 2007          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jul 26 02:03:19 2007          VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 26 02:03:19 2007          VPN Log         Ignoring Vendor ID payload [d8f8667e55ee4654...]
Jul 26 02:03:19 2007          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Aggressive Mode 2nd packet
Jul 26 02:03:19 2007          VPN Log         Aggressive mode peer ID is ID_IPV4_ADDR: 'xx.xxx.xxx.xxx'
Jul 26 02:03:19 2007          VPN Log         Received Hash Payload does not match computed value


Any help would be greatly appreciated... this is pretty urgent.

Much thanks...

-A
0
warts
Asked:
warts
  • 3
  • 2
3 Solutions
 
dpk_walCommented:
Looking at the logs posted by you, the phase I of the VPN tunnel bwtween the two devices is not going through.

As you are aware, for VPN tunnel establishment phase I and phase II need to go through, here setting Aggressive mode for phase I would not help as it appears from the logs that the remote site is sending 4th packet for phase I which indicates Main mode for phase I [in main mode 6 packets are exchanged and aggressive mode only 3]

Can you check to make sure that the VPN settings are identical in terms of mode [main or agressive for phase I] and algorithms used. Also, set PFS for phase II settings depensing if set/not set on the PIX firewall.

Further you should have the correct networks subnet defined for the VPN tunnel to come up.

Thank you.
0
 
lrmooreCommented:
>Ignoring Vendor ID payload Type = [XAUTH]

Cisco end should be set to no xauth
Do you have PFS disabled on the Linksys?

> have no access to the Cisco
Does this mean you have no control over how it is configured?
0
 
wartsAuthor Commented:
Yeah, I do not have access to the Cisco to make changes... and the guy on that end isn't very easy to deal with. He sent me what he thinks are the config specs of the Cisco:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address ipsec
crypto map outside_map 10 set peer xx.xxx.xx.xx
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxx address xx.xxx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

I have tried with and without PFS, with and without Aggressive mode, basically tried every option on and off... to no avail.

Most of the time it seems to fail after exchange 5 ( Initiator Send Main Mode 5th packet) then it just freezes and nothing else gets logged.

Much thanks.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
lrmooreCommented:
Check your VPN Gateway-to-Gateway page
Tunnel No. x
Tunnel name: TOPIX
Interface: WAN1
Enable  [x]

Local Security Gateway Type [IP Only     ]
IP address 66.66.66.66  <== your WAN IP
Local seurity group type: Subnet
IP address: 192.168.22.0
Mask:          255.255.255.0

Remote Scurity Gateway Type [IP Only    ]
IP address:  77.77.77.77   <== PIX Public IP
Remote Security Group Type:  Subnet
IP Address :  192.168.77.0
Mask:             255.255.255.0

IPSEC Setup
 Keying Mode  IKE with Preshared Key
 Phase 1 DH Group:  Group 2  <== match PIX Policy
 Phase 1 encryption: 3DES
 Phase 1 Auth:  MD5
 Phase 1 timeout 86400  <== match PIX policy
 Perfect Forward Secrecy  [ ]  <== un=check this
 Phase 2 DH Group: group 2
 Phase 2 Encrypt: 3DES
 Phase 2 Auth:  MD5
 Phase 2 SA LIfetime: 28800
 Preshared key: abcdefghijkl    <== match PIX isakmp key *exactly*

[Advanced + ]
 Select Agressive Mode
 Do not select compress
 Do not set a keepalive
 AH - do not set anything
 NetBIOS broadcast:  no - PIX end does not support
 Dead Peer Detection: no


 
0
 
wartsAuthor Commented:
Thanks... Followed to the "T" (except the Phase 2 DH Group; with PFS deselected, the Phase 2 DH Group dropdown disappears).

Still no luck... here's the log:

13:53:12 2007      VPN Log          [Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
13:53:12 2007      VPN Log         initiating Aggressive Mode #117, connection "ips3"
13:53:12 2007      VPN Log         STATE_AGGR_I1: initiate
13:53:13 2007      VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
13:53:13 2007      VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
13:53:13 2007      VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
13:53:13 2007      VPN Log         Ignoring Vendor ID payload [d8f8667e6d0a7e19...]
13:53:13 2007      VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Aggressive Mode 2nd packet
13:53:13 2007      VPN Log         Aggressive mode peer ID is ID_IPV4_ADDR: '12.34.56.78'
13:53:13 2007      VPN Log         Received Hash Payload does not match computed value
13:53:28 2007      VPN Log         Ignoring Vendor ID payload Type = [XAUTH]
13:53:28 2007      VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
13:53:28 2007      VPN Log         Ignoring Vendor ID payload Type = [Cisco-Unity]
13:53:28 2007      VPN Log         Ignoring Vendor ID payload [d8f8667e6d0a7e19...]
13:53:28 2007      VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Aggressive Mode 2nd packet
13:53:28 2007      VPN Log         Aggressive mode peer ID is ID_IPV4_ADDR: '12.34.56.78'
13:53:28 2007      VPN Log         Received Hash Payload does not match computed value
------------------------------------
If I use the same settings, but turn off aggressive mode, it still fails... log:


2007      VPN Log      Initiating Main Mode
2007      VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
2007      VPN Log [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
2007      VPN Log [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
2007      VPN Log      Ignoring Vendor ID payload Type = [XAUTH]
2007      VPN Log      Received Vendor ID payload Type = [Dead Peer Detection]
2007      VPN Log      Ignoring Vendor ID payload Type = [Cisco-Unity]
2007      VPN Log      Ignoring Vendor ID payload [d8f8667e0283729e...]
2007      VPN Log      [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
2007      VPN Log [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet

---------------------------------------------------------
Much thanks for the help.
0
 
lrmooreCommented:
>isakmp key xxxxxxxx address xx.xxx.xx.xx netmask 255.255.255.255

This line in the PIX should read:
 isakmp key xxxxxxxx address xx.xxx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now