• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3802
  • Last Modified:

Cisco RVS4000 VPN Router Setup

I have a RVS4000 VPN Router that's giving me some issues with the VPN setup. My goal is to setup VPN so that I can use my laptop from anywhere and connect to my home network resources (I have a few servers that I would like to be able to access data from). With that said, I think perhaps I might be getting confused with the terminology this router uses and I'm setting it wrong? Here are my current settings:

Select Tunnel Entry:  Test      
        
IPSec VPN Tunnel:        Enable
Tunnel Name:       Test

Local Group Setup
Local Security Gateway Type: IP Only      
IP address: XXX.XXX.XXX.196
Local Security Group Type: Subnet
IP Address:  15.10.5.1 <--(my router address)
Subnet Mask:  255.255.255.0      

Remote Group Setup
Remote Security Gateway Type: Any      
This Gateway accepts requests from any IP address.
Remote Security Group Type: Subnet      
IP Address: 15.10.2.1
Subnet Mask: 255.255.255.0


IPSec Setup

Keying Mode:       IKE with pre-shared key

Phase 1:
Encryption: 3DES      
Authentication: SHA1
Group: 768-bit
Key Lifetime: 28800  sec

Phase 2:
Encryption: 3DES
Authentication: SHA1
Perfect Forward Secrecy: Enable
Preshared Key: XXXXXXX <---password
Group: 768-bit
Key Lifetime: 3600  sec

Status
Down

Any ideas? I have all forms of VPN Passthrough enabled.
0
q3tech15
Asked:
q3tech15
  • 9
  • 8
  • 3
  • +1
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
First I am not an expert in this, so I do not help, someone else will have to respond.

In a LinkSys RV042 (probably quite similar) there are two types of tunnels: Gateway <-> Gateway for two like routers connected to each other and Gateway <-> Client for one router and one client machine.  

Then the Local setting above (assuming this is the machine with the router) looks fine (same as mine).

The remote end is very different. You looked like you used the Gateway <-> Gateway, and you need a Client setting for the remote end. Further, you would need an IPsec VPN application on the laptop to access your home machine. Check the remote end settings.

... Thinkpads_User
0
 
q3tech15Author Commented:
There is no option that I see to determine whether you want a gateway <-> gateway connection or a gateway <-> client. I'm baffled.
0
 
John HurstBusiness Consultant (Owner)Commented:
On my RV042 (I know it is not the same machine), I log into the router. Across the top I see Summary, Setup, DHCP, blah, blah, VPN, blah, blah. I click on VPN (that is where the tunnel setup is). I see the summary VPN setups (I have multiple Gateway <-> Gateway). I click on Add Tunnel and I see two choices: Gateway <-> Gateway and Client <-> Gateway). The product literature suggests your machine will do it, but you would have to check through its manual. It will reference QuickVPN for application access. ... Thinkpads_User
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
John HurstBusiness Consultant (Owner)Commented:
This manual describes the two methods for your router:

http://www.cisco.com/en/US/docs/routers/csbr/rvs4000/administration/guide/RVS4000_Admin_Guide.pdf

See page 101 .... Thinkpads_User
0
 
q3tech15Author Commented:
From that its still only allowing/showing a router to router connection.
0
 
John HurstBusiness Consultant (Owner)Commented:
You probably need to read through the manual more completely. In my post above I noted QuickVPN. See the diagram on page 17 and it is precisely what you want. So now trail through the manual from that to build the VPN connection. That starts on page 133. It may be that QuickVPN is acting as the Client part of the connection. For sure, as I noted at the beginning, you need a client application, so start here.

... Thinkpads_User
0
 
MikeKaneCommented:
The RVS model, just like the RV042 model only has a client to router ipsec option that must use the QuickVPN app that came with the unit.  You can also download the latest quickVPN client from cisco as well if you need it.  

Quick VPN has some issues, especially when used from behind other NAT devices... but for the most part it works well enough.  

0
 
q3tech15Author Commented:
I'll try the Quick VPN tonight on a work laptop since my laptop is running Windows 7 x64 and last I checked Quick VPN isnt compatible with it. I'll let you know the results.
0
 
q3tech15Author Commented:
Quick VPN still will not connect. Just gives me a list of possible problems.
0
 
John HurstBusiness Consultant (Owner)Commented:
Quick VPN is not a robust client in my experience (and as noted by MikeKane above). Take a look at NCP Secure Entry (www.ncp-e.com). It is the most reliable VPN client I have seen and/or used to date. They have a full function free trial so that you can see if it fits your needs. .... Thinkpads_User
0
 
q3tech15Author Commented:
Here are the log files I have from both the NCP program and my router.

NCP

11/12/2010 10:47:42 AMIPSec: Start building connection
11/12/2010 10:47:42 AMIPSec: DNSREQ: resolving dnserver over lan: domainname.org
11/12/2010 10:47:42 AMIPSec: DNSREQ: resolved ipadr: 0xx.0xx.004.196
11/12/2010 10:47:42 AMIke: Outgoing connect request MAIN mode - gateway=xx.xx.4.196 : q3
11/12/2010 10:47:42 AMIke: XMIT_MSG1_MAIN - q3
11/12/2010 10:47:42 AMIke: RECV_MSG2_MAIN - q3
11/12/2010 10:47:42 AMIke: IKE phase I: Setting LifeTime to 28800 seconds
11/12/2010 10:47:42 AMIke: IkeSa negotiated with the following properties -
11/12/2010 10:47:42 AM  Authentication=PRE_SHARED_KEY,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
11/12/2010 10:47:42 AMIPSec: Final Tunnel EndPoint is:0xx.0xx.004.196
11/12/2010 10:47:42 AMIke: q3 ->Support for NAT-T version - 9
11/12/2010 10:47:42 AMIke: XMIT_MSG3_MAIN - q3
11/12/2010 10:47:43 AMIke: RECV_MSG4_MAIN - q3
11/12/2010 10:47:43 AMIke: Turning on NATD mode - q3 - 1
11/12/2010 10:47:43 AMIke: XMIT_MSG5_MAIN - q3
11/12/2010 10:48:10 AMERROR - 4023: IKE(phase1):Lost contact to Gateway (No Response) in state <Wait for Message 6> - q3.
11/12/2010 10:48:10 AMIke: phase1:name(q3) -

And here is what my log from the router says

Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [da8e937880010000]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [XAUTH]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [Dead Peer Detection]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [c61baca1f1a60cc10800000000000000]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Nov 12 07:44:55 - [VPN Log]: packet from xx.xxx.163.27:500: received Vendor ID payload [Cisco-Unity]
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: responding to Main Mode from unknown peer xx.xxx.163.27
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27#3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Pluto does not support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Pluto does not support HybridInitRSA authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 12 07:44:55 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: NAT-Traversal: Result using 3: peer is NATed
Nov 12 07:44:56 - [VPN Log]: "Test"[3] 71.xx.xxx.163.27 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:44:56 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:05 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:05 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:05 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:06 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:06 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:06 - [VPN Log]: "Test"[3] xx.xxx.163.27  #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:10 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:10 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:10 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:16 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 07:45:16 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: peer's ID_USER_FQDN contains no @
Nov 12 07:45:16 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending encrypted notification INVALID_ID_INFORMATION to xx.xxx.163.27:500
Nov 12 07:45:23 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: byte 2 of ISAKMP Hash Payload must be zero, but is not
Nov 12 07:45:23 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: malformed payload in packet
Nov 12 07:45:23 - [VPN Log]: "Test"[3] xx.xxx.163.27 #3: sending notification PAYLOAD_MALFORMED to xx.xxx.163.27:500

---------------------------------------------------------------

Anything you can take from that?
0
 
q3tech15Author Commented:
Actually, look at this one for my router -- turned off the extended authentication in NCP

Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [da8e937880010000]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [XAUTH]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [RFC 3947] method set to=109
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [Dead Peer Detection]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [c61baca1f1a60cc10800000000000000]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Nov 12 08:10:01 - [VPN Log]: packet from 71.115.163.27:500: received Vendor ID payload [Cisco-Unity]
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: responding to Main Mode from unknown peer 71.115.163.27
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: NAT-Traversal: Result using 3: peer is NATed
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:01 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:11 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:16 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:16 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:16 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:22 - [VPN Log]: "Test"[2] 71.115.163.27 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 12 08:10:22 - [VPN Log]: "Test"[2] 71.115.163.27 #2: peer's ID_USER_FQDN contains no @
Nov 12 08:10:22 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending encrypted notification INVALID_ID_INFORMATION to 71.115.163.27:500
Nov 12 08:10:29 - [VPN Log]: "Test"[2] 71.115.163.27 #2: next payload type of ISAKMP Hash Payload has an unknown value: 216
Nov 12 08:10:29 - [VPN Log]: "Test"[2] 71.115.163.27 #2: malformed payload in packet
Nov 12 08:10:29 - [VPN Log]: "Test"[2] 71.115.163.27 #2: sending notification PAYLOAD_MALFORMED to 71.115.163.27:500
0
 
John HurstBusiness Consultant (Owner)Commented:
It appears that the initial setup on the client is not getting through at all. The LinkSys says it does not a proper userid and the NCP client says it loses contact in phase 1.  

All I can suggest here is that you mirror your settings in the LinkSys to settings in NCP, but you may need to get some local setup assistance here as well. ... Thinkpads_User
0
 
thaibnCommented:
I've used the RVS4000 in multiple locations, but have never seen it work for client to network. I don't think that unit supprts that configuration. For client to network, you'd new to go to a RV042.
0
 
John HurstBusiness Consultant (Owner)Commented:
I use an RV042 (noted much earlier) and the RV0xx series does work. ... Thinkpads_User
0
 
MikeKaneCommented:
The RV0 Series does work from client to router... although the VPN client for IPSEC that LInksys provides is not the best...
0
 
John HurstBusiness Consultant (Owner)Commented:
The best client for VPN at this point is the NCP Secure Entry client and it works with Linksys RV0xx routers as well as Juniper Netscreen and others. ... Thinkpads_User
0
 
q3tech15Author Commented:
Well I dont understand why the connection isn't being made. Still working on the issue.
0
 
MikeKaneCommented:
g3tech...   This has been a known issue with the QuickVPN client for quite a while.  It has affected me as well.    Calling linksys/cisco would also confirm this although they won't offer a solution.  

It's just a so-so client that came packaged for free.  

PPTP is a good alternative or a 3rd party IPSEC client.  

0
 
q3tech15Author Commented:
yes, i am going to try to troubleshoot a little bit longer, then i'm going to try to use my server instead of the router.
0
 
q3tech15Author Commented:
Come to realize that I'm just screwed while using this router for VPN other than branch connections.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 9
  • 8
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now