Solved

Help with Cisco RV180W site to site VPN

Posted on 2013-12-22
11
2,334 Views
Last Modified: 2014-02-02
Hello everyone,

I need some help with setting up a site to site vpn connection. We have one Zyxel Zywall 5 on our main site (site A) and one Cisco RV180W on the secondary site (site B).

We are trying to connect two networks together, but so far no luck.

The zyxel zywall 5 is working against other sites with out any problems (And cisco equipment, but haven't tried RV180W before.)
Have configured Cisco RV180W with the same settings on both ends, and according to both vpn boxes the vpn tunnel is established successfully.

But we can't ping, rdp, open fileshare or do anything else between the two lan.

Firewall settings are created for both sites with all ports open.
Have tried both aggressive and main mode with the same results.

LAN
Site A: 192.168.101.0/24
Site B: 192.168.100.0/24

Log from cisco RV180W (External IP addresses for both sites is changed to local.domain.com (site B) and external.domain.com (Site A))
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Beginning Aggressive mode.
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received Vendor ID: DPD
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received unknown Vendor ID
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] WARNING:  Ignore INITIAL-CONTACT notification from external.domain.com[500] because it is only accepted after phase1.
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA established for 192.168.101.1[500]-external.domain.com[500] with spi:ecf7bd7c5ac1d891:50b170a5ff716aa0
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Sending Informational Exchange: notify payload[608]
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.101.1[0]<=>external.domain.com[0]
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Using IPsec SA configuration: 192.168.101.0/24<->192.168.100.0/24
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel external.domain.com->192.168.101.1 with spi=228163318(0xd997ef6)
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel 192.168.101.1->external.domain.comwith spi=2470161521(0x933bac71)
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Using IPsec SA configuration: 192.168.101.0/24<->192.168.100.0/24
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Configuration found for external.domain.com.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Configuration found for external.domain.com.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Initiating new phase 1 negotiation: 77.88.84.162[500]<=>external.domain.com[500]
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Beginning Aggressive mode.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  NAT-Traversal is Enabled
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 4
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 8
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 9
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received Vendor ID: DPD
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received unknown Vendor ID
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA established for local.domain.com[500]-external.domain.com[500] with spi:312ac89d65dbffd0:8f42567138472a90
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Initiating new phase 2 negotiation:local.domain.com[0]<=>195.159.200.62[0]
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] WARNING:  attribute has been modified.
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel external.domain.com->local.domain.com with spi=129691023(0x7baed8f)
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel local.domain.com->external.domain.com with spi=2127203659(0x7eca8d4b)
Sun Dec 22 12:28:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
Sun Dec 22 12:28:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Purged IPsec-SA with proto_id=ESP and spi=2470161521(0x933bac71).
Sun Dec 22 12:30:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=ecf7bd7c5ac1d891:50b170a5ff716aa0.
Sun Dec 22 12:30:13 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA deleted for 192.168.101.1[500]-external.domain.com[500] with
spi:ecf7bd7c5ac1d891:50b170a5ff716aa0

Something is wrong, and most likely is something we have in our configuration but hopefully some of you have tested this before and have some tips for us.

Best Regards,
Thomas
0
Comment
Question by:thbor83
  • 6
  • 5
11 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I have not tried this connection so I do not know for sure what the issue is.

On both ends, make sure Main or Aggressive mode is set the same.

Then down in the Advanced setup of the RV180 tunnel, select (check) Keep-Alive, NAT Traversal, and Dead Peer Detect.

See if those settings help.

.... Thinkpads_User
0
 

Author Comment

by:thbor83
Comment Utility
Thinkpads_user,

Thanks for your suggestions, I changed "Dead Peer Detect" on again since I tried to turn it off to see if it made any difference.

But the choices Keep-Alice, NAT Traversal doesn't seem to be a valid choice on RV180W that I have.

See attached image.

Both sites is now set to "Aggressive" tried "main" earlier today but no difference.

Best Regards,
Thomas BIKE Policy Table - RV180W
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Your options are more limited than on my RV042G.

Where you have Fully Qualified Domain Name for the remote end, Try IP address. The fact that you can make a tunnel and not pass data may have to do with DNS.  Using IP addresses usually gets around this.

... Thinkpads_User
0
 

Author Comment

by:thbor83
Comment Utility
Sorry, should have said that in the first post. I uses IP addresses instead of fqdn but changed the logs to dns names before I posted here.

So external.domain.com is actually a IP address, have done this on both sides.
Yes, it seems that RV180W is more limited than your RV042G, but according to the logs NAT Traversal is enabled by default.

Best Regards,
Thomas B
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Try putting the server and other resource names in your hosts file on the RV180W end.

So:  192.168.0.10x  Servername  # Descriptive Comment

See if using the Hosts file helps pass data.

.... Thinkpads_User
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:thbor83
Comment Utility
That didn't work, I guess that wouldn't work anyway since I can't ping ip's either.

None of the logs give any errors when I try to ping but I can't ping.
Did a tracert on both sides, and it gives this output:

tracert 192.168.101.1

Tracing route to 192.168.101.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Apperantly it seems like it's not going through the VPN connection at all.

Best Regards,
Thomas B
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
First, I have probably offered you what I know in an effort to help.

Next, please allow me to offer my own site to site settings that are working (4 clients, Juniper and Cisco at the remote ends, Cisco RV042G in my home office).

I use IP Only Local and Remote. Both ends should have the external IP as part of the setup. Make sure your subnet mask is set to 255.255.255.0 for your setup.

I use IKE with Preshared key. Make sure the key is the same both ends.

I use DH Group 2 (not 1), DES (and sometimes 3DES), and SHA1 for both phases. The important thing is that they match both ends.

Make sure your SA life is long enough (28,800 seconds phase 1 and 3600 seconds phase 2).

I do not use Aggressive Mode normally, that is, I use Main Mode normally.

I have a split DNS variable but it is not used.

That is probably all I can offer.  Perhaps someone else will look later today.

.... Thinkpads_User
0
 

Author Comment

by:thbor83
Comment Utility
Thanks for your help Thinpads_user, I have also the same settings set on my zywall and cisco, except some differences from your setup.

I have several sites working other places, and one connection to Site A from one software vendor. But the cisco RV180W is the only one I haven't been able to connect with.

Again thanks for your help so far :)
Hopefully someone has tried this or has some suggestion on what i might be. I will see if I can try with another cisco box I think I have located at the office to see if it's is only the RV180W that doesn't work.

Best Regards,
Thomas B
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Please let us know about the other Cisco box and if it works.

... Thinkpads_User
0
 

Accepted Solution

by:
thbor83 earned 0 total points
Comment Utility
Sorry for the late update on this post. I wasn't able to resolve the problem with the cisco router so I ordered a new zyxel USG 20W and then it worked like a charm.

So apperantly cisco RV180W doesn't work with zyxel zywall 5 for connecting network through vpn.

Thanks for all your help.
0
 

Author Closing Comment

by:thbor83
Comment Utility
Since the solution was to buy a new router and configure this my solution was the correct one, but all help from the experts was very good.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now