Solved

Cisco RVS4000 VPN Router Setup

Posted on 2010-11-10
21
3,693 Views
Last Modified: 2012-05-10
I have a RVS4000 VPN Router that's giving me some issues with the VPN setup. My goal is to setup VPN so that I can use my laptop from anywhere and connect to my home network resources (I have a few servers that I would like to be able to access data from). With that said, I think perhaps I might be getting confused with the terminology this router uses and I'm setting it wrong? Here are my current settings:

Select Tunnel Entry:  Test      
        
IPSec VPN Tunnel:        Enable
Tunnel Name:       Test

Local Group Setup
Local Security Gateway Type: IP Only      
IP address: XXX.XXX.XXX.196
Local Security Group Type: Subnet
IP Address:  15.10.5.1 <--(my router address)
Subnet Mask:  255.255.255.0      

Remote Group Setup
Remote Security Gateway Type: Any      
This Gateway accepts requests from any IP address.
Remote Security Group Type: Subnet      
IP Address: 15.10.2.1
Subnet Mask: 255.255.255.0


IPSec Setup

Keying Mode:       IKE with pre-shared key

Phase 1:
Encryption: 3DES      
Authentication: SHA1
Group: 768-bit
Key Lifetime: 28800  sec

Phase 2:
Encryption: 3DES
Authentication: SHA1
Perfect Forward Secrecy: Enable
Preshared Key: XXXXXXX <---password
Group: 768-bit
Key Lifetime: 3600  sec

Status
Down

Any ideas? I have all forms of VPN Passthrough enabled.
0
Comment
Question by:q3tech15
  • 9
  • 8
  • 3
  • +1
21 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 34107779
First I am not an expert in this, so I do not help, someone else will have to respond.

In a LinkSys RV042 (probably quite similar) there are two types of tunnels: Gateway <-> Gateway for two like routers connected to each other and Gateway <-> Client for one router and one client machine.  

Then the Local setting above (assuming this is the machine with the router) looks fine (same as mine).

The remote end is very different. You looked like you used the Gateway <-> Gateway, and you need a Client setting for the remote end. Further, you would need an IPsec VPN application on the laptop to access your home machine. Check the remote end settings.

... Thinkpads_User
0
 

Author Comment

by:q3tech15
ID: 34107890
There is no option that I see to determine whether you want a gateway <-> gateway connection or a gateway <-> client. I'm baffled.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34107930
On my RV042 (I know it is not the same machine), I log into the router. Across the top I see Summary, Setup, DHCP, blah, blah, VPN, blah, blah. I click on VPN (that is where the tunnel setup is). I see the summary VPN setups (I have multiple Gateway <-> Gateway). I click on Add Tunnel and I see two choices: Gateway <-> Gateway and Client <-> Gateway). The product literature suggests your machine will do it, but you would have to check through its manual. It will reference QuickVPN for application access. ... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34107977
This manual describes the two methods for your router:

http://www.cisco.com/en/US/docs/routers/csbr/rvs4000/administration/guide/RVS4000_Admin_Guide.pdf

See page 101 .... Thinkpads_User
0
 

Author Comment

by:q3tech15
ID: 34108205
From that its still only allowing/showing a router to router connection.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34108241
You probably need to read through the manual more completely. In my post above I noted QuickVPN. See the diagram on page 17 and it is precisely what you want. So now trail through the manual from that to build the VPN connection. That starts on page 133. It may be that QuickVPN is acting as the Client part of the connection. For sure, as I noted at the beginning, you need a client application, so start here.

... Thinkpads_User
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34108804
The RVS model, just like the RV042 model only has a client to router ipsec option that must use the QuickVPN app that came with the unit.  You can also download the latest quickVPN client from cisco as well if you need it.  

Quick VPN has some issues, especially when used from behind other NAT devices... but for the most part it works well enough.  

0
 

Author Comment

by:q3tech15
ID: 34111122
I'll try the Quick VPN tonight on a work laptop since my laptop is running Windows 7 x64 and last I checked Quick VPN isnt compatible with it. I'll let you know the results.
0
 

Author Comment

by:q3tech15
ID: 34120534
Quick VPN still will not connect. Just gives me a list of possible problems.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34120577
Quick VPN is not a robust client in my experience (and as noted by MikeKane above). Take a look at NCP Secure Entry (www.ncp-e.com). It is the most reliable VPN client I have seen and/or used to date. They have a full function free trial so that you can see if it fits your needs. .... Thinkpads_User
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:q3tech15
ID: 34121696
Here are the log files I have from both the NCP program and my router.

NCP

11/12/2010 10:47:42 AMIPSec: Start building connection
11/12/2010 10:47:42 AMIPSec: DNSREQ: resolving dnserver over lan: domainname.org
11/12/2010 10:47:42 AMIPSec: DNSREQ: resolved ipadr: 0xx.0xx.004.196
11/12/2010 10:47:42 AMIke: Outgoing connect request MAIN mode - gateway=xx.xx.4.196 : q3
11/12/2010 10:47:42 AMIke: XMIT_MSG1_MAIN - q3
11/12/2010 10:47:42 AMIke: RECV_MSG2_MAIN - q3
11/12/2010 10:47:42 AMIke: IKE phase I: Setting LifeTime to 28800 seconds
11/12/2010 10:47:42 AMIke: IkeSa negotiated with the following properties -
11/12/2010 10:47:42 AM  Authentication=PRE_SHARED_KEY,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
11/12/2010 10:47:42 AMIPSec: Final Tunnel EndPoint is:0xx.0xx.004.196
11/12/2010 10:47:42 AMIke: q3 ->Support for NAT-T version - 9
11/12/2010 10:47:42 AMIke: XMIT_MSG3_MAIN - q3
11/12/2010 10:47:43 AMIke: RECV_MSG4_MAIN - q3
11/12/2010 10:47:43 AMIke: Turning on NATD mode - q3 - 1
11/12/2010 10:47:43 AMIke: XMIT_MSG5_MAIN - q3
11/12/2010 10:48:10 AMERROR - 4023: IKE(phase1):Lost contact to Gateway (No Response) in state <Wait for Message 6> - q3.
11/12/2010 10:48:10 AMIke: phase1:name(q3) -

And here is what my log from the router says

Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [da8e937880010000]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [XAUTH]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [Dead Peer Detection]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [c61baca1f1a60cc10800000000000000]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [Cisco-Unity]
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: responding to Main Mode from unknown peer xx.xxx.163.27
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27#3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Pluto does not support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Pluto does not support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: NAT-Traversal: Result using 3: peer is NATed
Nov 12 07:44:56 - [VPN Log]: "Test"[3] 71.xx.xxx.163.27 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:05 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:05 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:05 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:06 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:06 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:06 - [VPN Log]: "Test"[3] xx.xxx.163.27  #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:10 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:10 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:10 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:16 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:16 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:16 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:23 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: byte 2 of ISAKMP Hash Payload must be zero, but is not
Nov 12 07:45:23 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: malformed payload in packet
Nov 12 07:45:23 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending notification PAYLOAD_MALFORMED to xx.xxx.163.27:500

---------------------------------------------------------------

Anything you can take from that?
0
 

Author Comment

by:q3tech15
ID: 34121783
Actually, look at this one for my router -- turned off the extended authentication in NCP

Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [da8e937880010000]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [XAUTH]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [Dead Peer Detection]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [c61baca1f1a60cc10800000000000000]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [Cisco-Unity]
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: responding to Main Mode from unknown peer 71.115.163.27
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: NAT-Traversal: Result using 3: peer is NATed
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:16 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:16 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:16 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:22 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:22 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:22 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:29 - [VPN Log]: "Test"[2] 71.115.163.27 #2: next payload type of ISAKMP Hash Payload has an unknown value: 216
Nov 12 08:10:29 - [VPN Log]: "Test"[2] 71.115.163.27 #2: malformed payload in packet
Nov 12 08:10:29 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending notification PAYLOAD_MALFORMED to 71.115.163.27:500
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34121816
It appears that the initial setup on the client is not getting through at all. The LinkSys says it does not a proper userid and the NCP client says it loses contact in phase 1.  

All I can suggest here is that you mirror your settings in the LinkSys to settings in NCP, but you may need to get some local setup assistance here as well. ... Thinkpads_User
0
 
LVL 1

Expert Comment

by:thaibn
ID: 34126412
I've used the RVS4000 in multiple locations, but have never seen it work for client to network. I don't think that unit supprts that configuration. For client to network, you'd new to go to a RV042.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34127107
I use an RV042 (noted much earlier) and the RV0xx series does work. ... Thinkpads_User
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34136904
The RV0 Series does work from client to router... although the VPN client for IPSEC that LInksys provides is not the best...
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 34137008
The best client for VPN at this point is the NCP Secure Entry client and it works with Linksys RV0xx routers as well as Juniper Netscreen and others. ... Thinkpads_User
0
 

Author Comment

by:q3tech15
ID: 34137173
Well I dont understand why the connection isn't being made. Still working on the issue.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 34146851
g3tech...   This has been a known issue with the QuickVPN client for quite a while.  It has affected me as well.    Calling linksys/cisco would also confirm this although they won't offer a solution.  

It's just a so-so client that came packaged for free.  

PPTP is a good alternative or a 3rd party IPSEC client.  

0
 

Author Comment

by:q3tech15
ID: 34147119
yes, i am going to try to troubleshoot a little bit longer, then i'm going to try to use my server instead of the router.
0
 

Author Closing Comment

by:q3tech15
ID: 34369120
Come to realize that I'm just screwed while using this router for VPN other than branch connections.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now