Solved

Cisco RV042 VPN to Cisco 1841 Router connection

Posted on 2009-04-04
19
6,716 Views
Last Modified: 2012-05-06
Hello,
Trying to create a VPN connection between a Linksys/cisco RV042 VPN router and a Cisco 1841 Router.    I was hoping to actually just create a non-encrypted GRE tunnel tot eh RV042, but it looks like it has to accept a encrypted channel.  
My guesstion is how in the world would I go about setting this up?  I've created general GRE tunnels from Cisco to Cisco like below:
interface Tunnel5
 description Tunnel t1
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel destination <IP ADDRESS OF SITE B>


And on the other side (B)
interface Tunnel5
 description Tunnel 1
 ip address 192.168.100.18 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IP ADDRESS OF SITE A>

I I'm a little confused on what I should use for teh Local security group settings on teh RV042 (image attached)  
and what I should set on the Cisco 1841.

Thanks!

RV042.JPG
0
Comment
Question by:jwhiteuwc
  • 11
  • 6
  • 2
19 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
On your RV042, for the remote end, you have defined the Remote Group type as subnet (fine), but the IP address and subnet mask does not look like a subnet from here. Is there some special subnetting at the remote end?

Down at the bottom (where we cannot see) click on advanced and make sure NAT traversal is allowed.

... Thinkpads_User
0
 

Author Comment

by:jwhiteuwc
Comment Utility
Thanks for the suggestion on the NAT traversal.

The subnet defined in the Remote end is the 2nd IP defined in the GRE tunnel end of the cisco router.    The actual subnet of the site A is: 192.168.0.0 255.255.255.0  However, cisco likes to define the other subnet as illustrated in the above when creating a GRE Tunnel from Cisco To Cisco.  Does that make sesne?  of 192.168.100.x.  and a mask of 255.255.255.252 (3 ip's, one for site a, for site b, and broadcast, I think).  Sorry this is were I really gets fuzzy for me.

So on the RV042 in the remote group, should I specifiy the actual IP and subnet of Site A's internal network?

I'm trying to create the link via SDM on the cisco cause I'm not quite sure how to do it via IOS.  In SDM, I just choose VPN - SITE - To SITE VPN.  Follow the prompts.  
What do I specifiy on the Cisco?
0
 

Author Comment

by:jwhiteuwc
Comment Utility
To be honest, I think I'm more confused on the Cisco End then I am on the Linksy RV042 end :-)  Sorry, just thought I would put that in there if it wasn't already noticeable.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I cannot help on the Cisco end - perhaps others can. If you need to define the precise IP for the Cisco on the RV042, then it probably wants to be defined as IP for the Remote Group Type and not as Subnet. Again that will depend on Cisco too.  ... Thinkpads_User
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You are setting up an IPSEC tunnel to the linksys not a GRE tunnel.
What are the IPs on the cisco side (LAN)  that you want to access from the linksys side (LAN) and vice versa.

You might want to consider using the EasyVPN on the cisco router and setup a site to site VPN matching your linksys options.

You should Select a phase 2 Enryption 3des as well rather than setting it to null.

The Remote LAN settings on the Linksys need to match the local LAN on the Cisco and vice versa.

On the cisco you will need to add an ACL for the remote lan to the nat (0) rule (treats the traffic as local without other ACL processing) unless you want to create ACLs to curtail what/ how the linksys can access.

I.e. define acls to curb some access.

0
 

Author Comment

by:jwhiteuwc
Comment Utility
Thanks, I'll give that a shot.

SIte A's LAN IP's are: 192.168.0.x  Site B's IP's are: 192.168.1.x

By the looks of it on the RV042, is there away NOT to encrypt the traffic?  Meaning just creating a GRE tunnel?  

Thanks!
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I do not believe so.
GRE is encrypted as well.

The whole point is for the packets while flowing through the wide open media (internet) can not be reassembled and view outside the source and the destination routers.

GRE sets up a Virtual Routed network.  I.e. each side has a GRE tunnel IP and then adds routes for Each others LAN IPS with the respective GRE tunnel as the gateway.

0
 

Author Comment

by:jwhiteuwc
Comment Utility
Here is my current 1841 Router Config:
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server
!
crypto pki trustpoint TP-self-signed-838689604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-838689604
 revocation-check none
 rsakeypair TP-self-signed-838689604
!
!
!
no spanning-tree vlan 1
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPSNIPPED>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <IPSNIPPED> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <IPSNIPPED>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <IPSNIPPED> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   71.92.172.193 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
no cdp run
route-map no_tunnel permit 10
 match ip address 2
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C

!
scheduler allocate 4000 1000
end
--------------------------------------
Here it is after I create a SIte-to-site Vpn but it fails in testing saying:
The tunnel traffic destination must be routed through the crypto map interface. the following destination(S) are routed through non-crypto map interface 1) 192.168.0.1




aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name <IPAddressSniped>
ip name-server <IPAddressSniped>
ip name-server <IPAddressSniped>
!
!
crypto pki trustpoint TP-self-signed-838689604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-838689604
 revocation-check none
 rsakeypair TP-self-signed-838689604
!
!
!
no spanning-tree vlan 1

!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <SNIPPED> address <IPAddressSniped>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to<IPAddressSniped>
 set peer <IPAddressSniped>
 set transform-set ESP-3DES-SHA
 match address 100
 qos pre-classify
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <IPAddressSniped>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <IPAddressSniped> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <IPAddressSniped>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <IPAddressSniped> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   70.91.178.192 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
snmp-server community cybertechs RO
snmp-server community cyb3rt3ch$ RW 60
no cdp run
route-map no_tunnel permit 10
 match ip address 2
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You have match address 100 in the crypto map, but you have an error when you are defining the access list:
You have:
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
instead of
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:jwhiteuwc
Comment Utility
Still not working.  very strange.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
While brief the description provides little to go on.  Check the logs on both sides to see whether additional information is provided for the issue.

run on the asa
show crypto ipsec sa
show crypto iskamp sa

Have you corrected the setting on the RV042 to use the 192.168.1.0 segment instead of the 192.168.100 segment you had originally?

Just to be clear you are setting up an IPSEC tunnel between the rv042 and asa
0
 

Author Comment

by:jwhiteuwc
Comment Utility
Arnold Sorry about that answer.

Yes, I have corrected the IP mistake.

The tunnels is a going from the RV042 to a Cisco 1841 Router running IOS and not a ASA.

My guess is I need a GRE IP sec tunnel.  It's built, however it just doesn't make the connection.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Rv042 does not support an inbound GRE. It will let a GRE packet pass if you have a PPTP session from behind it to the Cisco.
Sorry for not double checking which Cisco device you have.
The show crypto directives should work on the Router.
What information I am looking at is to see what the local and remote LAN is set on the established tunnel.  Going on the premise that the tunnel gets established, but no data flows through.

Looking at the logs on both side should provide some added information on what is going on.  I.e. passphrase mismatch.  You setup the Cisco with aggressive mode while the Rv042 is using normal mode for IPSEC negotiations or vice versa.  Or the negotiation fails during phase two negotiation where the LAN IPs on each side would have come into play.
i.e. if you still had the rv042 referencing the remote LAN as 192.168.100.20/30 while the local LAN on the Cisco router reflects 192.168.0.0/24.

Could you repost your current cisco config minus the preshared key, Public IPs.  This will assume that the preshared key you enered on both sides is identical.

Also please post a snippet of the log dealing with the VPN connection minus the public IPs at either end.

0
 

Author Comment

by:jwhiteuwc
Comment Utility
Here is the new IOS config and snapshots of the RS042 router:
!This is the running config of the router: c21arg.dnsalias.com
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Century21ARG
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
clock timezone PCTime -6
clock summer-time CDT recurring
no ip source-route
ip cef
!
!
!
!
no ip bootp server

!
!

!
crypto pki certificate chain TP-self-signed-838689604
 certificate self-signed 01

!
no spanning-tree vlan 1
username <SNIP> privilege 15 secret 5
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
 match ip rtp 11000 13000
 match ip dscp ef
 match access-group 106
class-map match-any callin
 match ip dscp ef
 match access-group 106
class-map match-all http
 match access-group 103
!
!
policy-map voip
 class callin
  set precedence 5
policy-map Voip1
 class voip
  priority 512
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key <SNIP> address <SNIP>
!
!
crypto ipsec transform-set c21sbdsl esp-des esp-md5-hmac
!
crypto map c21sbVPNmap 10 ipsec-isakmp
 description vpn tunnel to c21argDSL
 set peer <SNIP>
 set security-association lifetime seconds 86400
 set transform-set c21sbdsl
 match address 135
!
!
!
!
!
interface Tunnel1
 description Tunnel to Sturgeon Bay Office
 ip address 192.168.100.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIPE>
!
interface Tunnel3
 description Tunnel to Two Rivers Office
 ip address 192.168.100.9 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIP>
!
interface Tunnel5
 description Tunnel to Wauotma Office
 ip address 192.168.100.17 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination <SNIP>
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 113 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 bandwidth 2048
 ip address <SNIP> 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map c21sbVPNmap
 service-policy input voip
 service-policy output Voip1
!
router rip
 version 2
 redistribute connected route-map no_tunnel
 redistribute static
 network 192.168.100.0
 no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.15
ip route 0.0.0.0 0.0.0.0 <SNIP>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source route-map blocknat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.2 500 interface FastEthernet0/1 500
ip nat inside source static tcp 192.168.0.2 1723 interface FastEthernet0/1 1723
ip nat inside source static udp 192.168.0.205 20001 interface FastEthernet0/1 20001
ip nat inside source static udp 192.168.0.205 20000 interface FastEthernet0/1 20000
ip nat inside source static tcp 192.168.0.205 8090 interface FastEthernet0/1 8090
ip nat inside source static tcp 192.168.0.205 3393 interface FastEthernet0/1 3393
ip nat inside source static tcp 192.168.0.2 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.0.147 5905 interface FastEthernet0/1 5905
ip nat inside source static tcp 192.168.0.47 5910 interface FastEthernet0/1 5910
ip nat inside source static tcp 192.168.0.36 5997 interface FastEthernet0/1 5997
ip nat inside source static tcp 192.168.0.11 5909 interface FastEthernet0/1 5909
ip nat inside source static tcp 192.168.0.2 5902 interface FastEthernet0/1 5902
ip nat inside source static 192.168.0.35 <SNIP> extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 deny   <SNIP> 0.0.0.7
access-list 2 permit any
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit udp any any eq 5060
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 106 permit udp any any eq 2944
access-list 106 permit tcp any any eq 2944
access-list 106 permit udp any any eq 3000
access-list 106 permit udp any any eq 4029
access-list 106 permit tcp any any eq 4029
access-list 106 permit tcp any any eq 1720
access-list 107 permit udp any host 192.168.0.6 range 1 65534
access-list 112 permit ip 216.153.250.0 0.0.0.255 any
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq www
access-list 113 deny   tcp any 216.153.250.192 0.0.0.63 eq 443
access-list 113 permit ip any any
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 remark SDM_ACL Category=22
access-list 135 deny   ip 192.168.0.0 0.0.0.255 any
access-list 135 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 permit ip 192.168.0.0 0.0.0.255 any

no cdp run
route-map blocknat permit 10
 match ip address 135
!
route-map no_tunnel permit 10
 match ip address 2
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
end



SiteB.jpg
siteb-2.jpg
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
First you should change your preshared key.

Second, you do not have a policy on the ASA tha matches the policy settings on the RV042.
crypto map 10
you are not specifying the encryption to be des.

What is the error log show? Does it show that there is no matching policy for the VPN?

Access-list 100 you have both deny and permit for the same local segment.

Log files from both sides?
0
 

Author Comment

by:jwhiteuwc
Comment Utility
Here is the log from the RV042:
Apr 15 08:13:40 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:13:40 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:13:40 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:13:40 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:13:40 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:13:50 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:13:50 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:13:50 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:13:50 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:13:50 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:13:54 2009     VPN Log    Initiating Main Mode  
Apr 15 08:13:54 2009     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
Apr 15 08:13:54 2009     VPN Log    Received informational payload, type NO_PROPOSAL_CHOSEN  
Apr 15 08:14:00 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:14:00 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:14:00 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:14:00 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:14:00 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
Apr 15 08:14:10 2009     VPN Log    Ignoring Vendor ID payload [439b59f8ba676c4c...]  
Apr 15 08:14:10 2009     VPN Log    Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]  
Apr 15 08:14:10 2009     VPN Log    Ignoring Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]  
Apr 15 08:14:10 2009     VPN Log    [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
Apr 15 08:14:10 2009     VPN Log    No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting  
0
 

Author Comment

by:jwhiteuwc
Comment Utility
SOrry, how would I get the log for the Cisco that you are looking for?
Thanks!
0
 

Author Comment

by:jwhiteuwc
Comment Utility
Here is the new commands on the cisco:  Would this be correct?

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 3600
crypto isakmp key <KEY>address <IP> no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30


crypto ipsec transform-set c21sbdsl esp-3des esp-md5-hmac
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 135 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source route-map nonat interface Ethernet1/0 overload


!disables nat translation
route-map nonat permit 10
 match ip address 135


crypto map c21sbVPNmap 2 ipsec-isakmp
 description vpn tunnel to c21argDSL
 set peer <IIP>
 set transform-set c21sbdsl
 match address 120

interface Tunnel6
 description tunelIPSEC to SB
 no ip address
 tunnel source Fastethernet0/1
 tunnel destination <IP TO SITE B>
 tunnel path-mtu-discovery
 crypto map c21sbVPNmap
0
 

Accepted Solution

by:
jwhiteuwc earned 0 total points
Comment Utility
I ended up figuring out the solution.  The isakmp statement needed the no-xauth and also the Lifetime statemened needed to be to changed to match the linksys 86400

Thanks though to all that helped.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now