Solved

Help with Cisco RV180W site to site VPN

Posted on 2013-12-22
11
2,422 Views
Last Modified: 2014-02-02
Hello everyone,

I need some help with setting up a site to site vpn connection. We have one Zyxel Zywall 5 on our main site (site A) and one Cisco RV180W on the secondary site (site B).

We are trying to connect two networks together, but so far no luck.

The zyxel zywall 5 is working against other sites with out any problems (And cisco equipment, but haven't tried RV180W before.)
Have configured Cisco RV180W with the same settings on both ends, and according to both vpn boxes the vpn tunnel is established successfully.

But we can't ping, rdp, open fileshare or do anything else between the two lan.

Firewall settings are created for both sites with all ports open.
Have tried both aggressive and main mode with the same results.

LAN
Site A: 192.168.101.0/24
Site B: 192.168.100.0/24

Log from cisco RV180W (External IP addresses for both sites is changed to local.domain.com (site B) and external.domain.com (Site A))
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Beginning Aggressive mode.
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received Vendor ID: DPD
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received unknown Vendor ID
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] WARNING:  Ignore INITIAL-CONTACT notification from external.domain.com[500] because it is only accepted after phase1.
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA established for 192.168.101.1[500]-external.domain.com[500] with spi:ecf7bd7c5ac1d891:50b170a5ff716aa0
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Sending Informational Exchange: notify payload[608]
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.101.1[0]<=>external.domain.com[0]
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Using IPsec SA configuration: 192.168.101.0/24<->192.168.100.0/24
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel external.domain.com->192.168.101.1 with spi=228163318(0xd997ef6)
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel 192.168.101.1->external.domain.comwith spi=2470161521(0x933bac71)
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Using IPsec SA configuration: 192.168.101.0/24<->192.168.100.0/24
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Configuration found for external.domain.com.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Configuration found for external.domain.com.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Initiating new phase 1 negotiation: 77.88.84.162[500]<=>external.domain.com[500]
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Beginning Aggressive mode.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  NAT-Traversal is Enabled
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 4
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 8
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 9
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received Vendor ID: DPD
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received unknown Vendor ID
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA established for local.domain.com[500]-external.domain.com[500] with spi:312ac89d65dbffd0:8f42567138472a90
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Initiating new phase 2 negotiation:local.domain.com[0]<=>195.159.200.62[0]
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] WARNING:  attribute has been modified.
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel external.domain.com->local.domain.com with spi=129691023(0x7baed8f)
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel local.domain.com->external.domain.com with spi=2127203659(0x7eca8d4b)
Sun Dec 22 12:28:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
Sun Dec 22 12:28:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Purged IPsec-SA with proto_id=ESP and spi=2470161521(0x933bac71).
Sun Dec 22 12:30:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=ecf7bd7c5ac1d891:50b170a5ff716aa0.
Sun Dec 22 12:30:13 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA deleted for 192.168.101.1[500]-external.domain.com[500] with
spi:ecf7bd7c5ac1d891:50b170a5ff716aa0

Something is wrong, and most likely is something we have in our configuration but hopefully some of you have tested this before and have some tips for us.

Best Regards,
Thomas
0
Comment
Question by:thbor83
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 39734563
I have not tried this connection so I do not know for sure what the issue is.

On both ends, make sure Main or Aggressive mode is set the same.

Then down in the Advanced setup of the RV180 tunnel, select (check) Keep-Alive, NAT Traversal, and Dead Peer Detect.

See if those settings help.

.... Thinkpads_User
0
 

Author Comment

by:thbor83
ID: 39734580
Thinkpads_user,

Thanks for your suggestions, I changed "Dead Peer Detect" on again since I tried to turn it off to see if it made any difference.

But the choices Keep-Alice, NAT Traversal doesn't seem to be a valid choice on RV180W that I have.

See attached image.

Both sites is now set to "Aggressive" tried "main" earlier today but no difference.

Best Regards,
Thomas BIKE Policy Table - RV180W
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39734586
Your options are more limited than on my RV042G.

Where you have Fully Qualified Domain Name for the remote end, Try IP address. The fact that you can make a tunnel and not pass data may have to do with DNS.  Using IP addresses usually gets around this.

... Thinkpads_User
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:thbor83
ID: 39734590
Sorry, should have said that in the first post. I uses IP addresses instead of fqdn but changed the logs to dns names before I posted here.

So external.domain.com is actually a IP address, have done this on both sides.
Yes, it seems that RV180W is more limited than your RV042G, but according to the logs NAT Traversal is enabled by default.

Best Regards,
Thomas B
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39734599
Try putting the server and other resource names in your hosts file on the RV180W end.

So:  192.168.0.10x  Servername  # Descriptive Comment

See if using the Hosts file helps pass data.

.... Thinkpads_User
0
 

Author Comment

by:thbor83
ID: 39734610
That didn't work, I guess that wouldn't work anyway since I can't ping ip's either.

None of the logs give any errors when I try to ping but I can't ping.
Did a tracert on both sides, and it gives this output:

tracert 192.168.101.1

Tracing route to 192.168.101.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Apperantly it seems like it's not going through the VPN connection at all.

Best Regards,
Thomas B
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39734630
First, I have probably offered you what I know in an effort to help.

Next, please allow me to offer my own site to site settings that are working (4 clients, Juniper and Cisco at the remote ends, Cisco RV042G in my home office).

I use IP Only Local and Remote. Both ends should have the external IP as part of the setup. Make sure your subnet mask is set to 255.255.255.0 for your setup.

I use IKE with Preshared key. Make sure the key is the same both ends.

I use DH Group 2 (not 1), DES (and sometimes 3DES), and SHA1 for both phases. The important thing is that they match both ends.

Make sure your SA life is long enough (28,800 seconds phase 1 and 3600 seconds phase 2).

I do not use Aggressive Mode normally, that is, I use Main Mode normally.

I have a split DNS variable but it is not used.

That is probably all I can offer.  Perhaps someone else will look later today.

.... Thinkpads_User
0
 

Author Comment

by:thbor83
ID: 39734675
Thanks for your help Thinpads_user, I have also the same settings set on my zywall and cisco, except some differences from your setup.

I have several sites working other places, and one connection to Site A from one software vendor. But the cisco RV180W is the only one I haven't been able to connect with.

Again thanks for your help so far :)
Hopefully someone has tried this or has some suggestion on what i might be. I will see if I can try with another cisco box I think I have located at the office to see if it's is only the RV180W that doesn't work.

Best Regards,
Thomas B
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39734897
Please let us know about the other Cisco box and if it works.

... Thinkpads_User
0
 

Accepted Solution

by:
thbor83 earned 0 total points
ID: 39815698
Sorry for the late update on this post. I wasn't able to resolve the problem with the cisco router so I ordered a new zyxel USG 20W and then it worked like a charm.

So apperantly cisco RV180W doesn't work with zyxel zywall 5 for connecting network through vpn.

Thanks for all your help.
0
 

Author Closing Comment

by:thbor83
ID: 39827463
Since the solution was to buy a new router and configure this my solution was the correct one, but all help from the experts was very good.
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft VPN Access - Routing and Remote Access 2 71
AWS Design\Cisco Meraki 4 43
Teamviewer vpn for dc replication 9 54
vpn through Cisco ASA appliance 3 26
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question