Solved

Cisco RV042 VPN to Cisco 1841 Router connection

Posted on 2009-04-04
19
6,762 Views
Last Modified: 2012-05-06
Hello,
Trying to create a VPN connection between a Linksys/cisco RV042 VPN router and a Cisco 1841 Router.    I was hoping to actually just create a non-encrypted GRE tunnel tot eh RV042, but it looks like it has to accept a encrypted channel.  
My guesstion is how in the world would I go about setting this up?  I've created general GRE tunnels from Cisco to Cisco like below:
interface Tunnel5
 description Tunnel t1
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel destination <IP ADDRESS OF SITE B>


And on the other side (B)
interface Tunnel5
 description Tunnel 1
 ip address 192.168.100.18 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IP ADDRESS OF SITE A>

I I'm a little confused on what I should use for teh Local security group settings on teh RV042 (image attached)  
and what I should set on the Cisco 1841.

Thanks!

RV042.JPG
0
Comment
Question by:jwhiteuwc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
  • 2
19 Comments
 
LVL 94

Expert Comment

by:John Hurst
ID: 24069115
On your RV042, for the remote end, you have defined the Remote Group type as subnet (fine), but the IP address and subnet mask does not look like a subnet from here. Is there some special subnetting at the remote end?

Down at the bottom (where we cannot see) click on advanced and make sure NAT traversal is allowed.

... Thinkpads_User
0
 

Author Comment

by:jwhiteuwc
ID: 24069211
Thanks for the suggestion on the NAT traversal.

The subnet defined in the Remote end is the 2nd IP defined in the GRE tunnel end of the cisco router.    The actual subnet of the site A is: 192.168.0.0 255.255.255.0  However, cisco likes to define the other subnet as illustrated in the above when creating a GRE Tunnel from Cisco To Cisco.  Does that make sesne?  of 192.168.100.x.  and a mask of 255.255.255.252 (3 ip's, one for site a, for site b, and broadcast, I think).  Sorry this is were I really gets fuzzy for me.

So on the RV042 in the remote group, should I specifiy the actual IP and subnet of Site A's internal network?

I'm trying to create the link via SDM on the cisco cause I'm not quite sure how to do it via IOS.  In SDM, I just choose VPN - SITE - To SITE VPN.  Follow the prompts.  
What do I specifiy on the Cisco?
0
 

Author Comment

by:jwhiteuwc
ID: 24069367
To be honest, I think I'm more confused on the Cisco End then I am on the Linksy RV042 end :-)  Sorry, just thought I would put that in there if it wasn't already noticeable.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 94

Expert Comment

by:John Hurst
ID: 24070004
I cannot help on the Cisco end - perhaps others can. If you need to define the precise IP for the Cisco on the RV042, then it probably wants to be defined as IP for the Remote Group Type and not as Subnet. Again that will depend on Cisco too.  ... Thinkpads_User
0
 
LVL 78

Expert Comment

by:arnold
ID: 24070059
You are setting up an IPSEC tunnel to the linksys not a GRE tunnel.
What are the IPs on the cisco side (LAN)  that you want to access from the linksys side (LAN) and vice versa.

You might want to consider using the EasyVPN on the cisco router and setup a site to site VPN matching your linksys options.

You should Select a phase 2 Enryption 3des as well rather than setting it to null.

The Remote LAN settings on the Linksys need to match the local LAN on the Cisco and vice versa.

On the cisco you will need to add an ACL for the remote lan to the nat (0) rule (treats the traffic as local without other ACL processing) unless you want to create ACLs to curtail what/ how the linksys can access.

I.e. define acls to curb some access.

0
 

Author Comment

by:jwhiteuwc
ID: 24071570
Thanks, I'll give that a shot.

SIte A's LAN IP's are: 192.168.0.x  Site B's IP's are: 192.168.1.x

By the looks of it on the RV042, is there away NOT to encrypt the traffic?  Meaning just creating a GRE tunnel?  

Thanks!
0
 
LVL 78

Expert Comment

by:arnold
ID: 24071993
I do not believe so.
GRE is encrypted as well.

The whole point is for the packets while flowing through the wide open media (internet) can not be reassembled and view outside the source and the destination routers.

GRE sets up a Virtual Routed network.  I.e. each side has a GRE tunnel IP and then adds routes for Each others LAN IPS with the respective GRE tunnel as the gateway.

0
 

Author Comment

by:jwhiteuwc
ID: 24072851
Here is my current 1841 Router Config:
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server
!
crypto pki trustpoint TP-self-signed-838689604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-838689604
 revocation-check none
 rsakeypair TP-self-signed-838689604
!
!
!
no spanning-tree vlan 1
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <IPSNIPPED> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <IPSNIPPED>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <IPSNIPPED> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   71.92.172.193 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
no cdp run
route-map no_tunnel permit 10
 match ip address 2
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C

!
scheduler allocate 4000 1000
end
--------------------------------------
Here it is after I create a SIte-to-site Vpn but it fails in testing saying:
The tunnel traffic destination must be routed through the crypto map interface. the following destination(S) are routed through non-crypto map interface 1) 192.168.0.1




aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name <IPAddressSniped>
ip name-server <IPAddressSniped>
ip name-server <IPAddressSniped>
!
!
crypto pki trustpoint TP-self-signed-838689604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-838689604
 revocation-check none
 rsakeypair TP-self-signed-838689604
!
!
!
no spanning-tree vlan 1

!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <SNIPPED> address <IPAddressSniped>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to<IPAddressSniped>
 set peer <IPAddressSniped>
 set transform-set ESP-3DES-SHA
 match address 100
 qos pre-classify
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <IPAddressSniped> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <IPAddressSniped>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <IPAddressSniped> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   70.91.178.192 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
snmp-server community cybertechs RO
snmp-server community cyb3rt3ch$ RW 60
no cdp run
route-map no_tunnel permit 10
 match ip address 2
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end
0
 
LVL 78

Expert Comment

by:arnold
ID: 24074135
You have match address 100 in the crypto map, but you have an error when you are defining the access list:
You have:
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
instead of
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

0
 

Author Comment

by:jwhiteuwc
ID: 24141263
Still not working.  very strange.
0
 
LVL 78

Expert Comment

by:arnold
ID: 24141309
While brief the description provides little to go on.  Check the logs on both sides to see whether additional information is provided for the issue.

run on the asa
show crypto ipsec sa
show crypto iskamp sa

Have you corrected the setting on the RV042 to use the 192.168.1.0 segment instead of the 192.168.100 segment you had originally?

Just to be clear you are setting up an IPSEC tunnel between the rv042 and asa
0
 

Author Comment

by:jwhiteuwc
ID: 24141354
Arnold Sorry about that answer.

Yes, I have corrected the IP mistake.

The tunnels is a going from the RV042 to a Cisco 1841 Router running IOS and not a ASA.

My guess is I need a GRE IP sec tunnel.  It's built, however it just doesn't make the connection.
0
 
LVL 78

Expert Comment

by:arnold
ID: 24141452
Rv042 does not support an inbound GRE. It will let a GRE packet pass if you have a PPTP session from behind it to the Cisco.
Sorry for not double checking which Cisco device you have.
The show crypto directives should work on the Router.
What information I am looking at is to see what the local and remote LAN is set on the established tunnel.  Going on the premise that the tunnel gets established, but no data flows through.

Looking at the logs on both side should provide some added information on what is going on.  I.e. passphrase mismatch.  You setup the Cisco with aggressive mode while the Rv042 is using normal mode for IPSEC negotiations or vice versa.  Or the negotiation fails during phase two negotiation where the LAN IPs on each side would have come into play.
i.e. if you still had the rv042 referencing the remote LAN as 192.168.100.20/30 while the local LAN on the Cisco router reflects 192.168.0.0/24.

Could you repost your current cisco config minus the preshared key, Public IPs.  This will assume that the preshared key you enered on both sides is identical.

Also please post a snippet of the log dealing with the VPN connection minus the public IPs at either end.

0
 

Author Comment

by:jwhiteuwc
ID: 24147206
Here is the new IOS config and snapshots of the RS042 router:
!This is the running config of the router: c21arg.dnsalias.com
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Century21ARG
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server

!
!

!
crypto pki certificate chain TP-self-signed-838689604
 certificate self-signed 01

!
no spanning-tree vlan 1
username <SNIP> privilege 15 secret 5
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key <SNIP> address <SNIP>
!
!
crypto ipsec transform-set c21sbdsl esp-des esp-md5-hmac
!
crypto map c21sbVPNmap 10 ipsec-isakmp
 description vpn tunnel to c21argDSL
 set peer <SNIP>
 set security-association lifetime seconds 86400
 set transform-set c21sbdsl
 match address 135
!
!
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIPE>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIP>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIP>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <SNIP> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map c21sbVPNmap
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <SNIP>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source route-map blocknat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <SNIP> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   <SNIP> 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 remark SDM_ACL Category=22
access-list 135 deny   ip 192.168.0.0 0.0.0.255 any
access-list 135 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 permit ip 192.168.0.0 0.0.0.255 any

no cdp run
route-map blocknat permit 10
 match ip address 135
!
route-map no_tunnel permit 10
 match ip address 2
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end



SiteB.jpg
siteb-2.jpg
0
 
LVL 78

Expert Comment

by:arnold
ID: 24147483
First you should change your preshared key.

Second, you do not have a policy on the ASA tha matches the policy settings on the RV042.
crypto map 10
you are not specifying the encryption to be des.

What is the error log show? Does it show that there is no matching policy for the VPN?

Access-list 100 you have both deny and permit for the same local segment.

Log files from both sides?
0
 

Author Comment

by:jwhiteuwc
ID: 24149781
Here is the log from the RV042:
Apr 15 08:13:40 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:13:40 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:13:40 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:13:40 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:13:40 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:13:50 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:13:50 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:13:50 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:13:50 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:13:50 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:13:54 2009     VPN Log    Initiating Main Mode  
Apr 15 08:13:54 2009     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
Apr 15 08:13:54 2009     VPN Log    Received informational payload, type NO_PROPOSAL_CHOSEN  
Apr 15 08:14:00 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:14:00 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:14:00 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:14:00 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:14:00 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:14:10 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:14:10 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:14:10 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:14:10 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:14:10 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
0
 

Author Comment

by:jwhiteuwc
ID: 24149817
SOrry, how would I get the log for the Cisco that you are looking for?
Thanks!
0
 

Author Comment

by:jwhiteuwc
ID: 24170957
Here is the new commands on the cisco:  Would this be correct?

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 3600
crypto isakmp key <KEY>address <IP> no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30


crypto ipsec transform-set c21sbdsl esp-3des esp-md5-hmac
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 135 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source route-map nonat interface Ethernet1/0 overload


!disables nat translation
route-map nonat permit 10
 match ip address 135


crypto map c21sbVPNmap 2 ipsec-isakmp
 description vpn tunnel to c21argDSL
 set peer <IIP>
 set transform-set c21sbdsl
 match address 120

interface Tunnel6
 description tunelIPSEC to SB
 no ip address
 tunnel source Fastethernet0/1
 tunnel destination <IP TO SITE B>
 tunnel path-mtu-discovery
 crypto map c21sbVPNmap
0
 

Accepted Solution

by:
jwhiteuwc earned 0 total points
ID: 24176433
I ended up figuring out the solution.  The isakmp statement needed the no-xauth and also the Lifetime statemened needed to be to changed to match the linksys 86400

Thanks though to all that helped.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question