• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2631
  • Last Modified:

Help with Cisco RV180W site to site VPN

Hello everyone,

I need some help with setting up a site to site vpn connection. We have one Zyxel Zywall 5 on our main site (site A) and one Cisco RV180W on the secondary site (site B).

We are trying to connect two networks together, but so far no luck.

The zyxel zywall 5 is working against other sites with out any problems (And cisco equipment, but haven't tried RV180W before.)
Have configured Cisco RV180W with the same settings on both ends, and according to both vpn boxes the vpn tunnel is established successfully.

But we can't ping, rdp, open fileshare or do anything else between the two lan.

Firewall settings are created for both sites with all ports open.
Have tried both aggressive and main mode with the same results.

LAN
Site A: 192.168.101.0/24
Site B: 192.168.100.0/24

Log from cisco RV180W (External IP addresses for both sites is changed to local.domain.com (site B) and external.domain.com (Site A))
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Beginning Aggressive mode.
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received Vendor ID: DPD
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received unknown Vendor ID
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] WARNING:  Ignore INITIAL-CONTACT notification from external.domain.com[500] because it is only accepted after phase1.
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA established for 192.168.101.1[500]-external.domain.com[500] with spi:ecf7bd7c5ac1d891:50b170a5ff716aa0
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Sending Informational Exchange: notify payload[608]
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.101.1[0]<=>external.domain.com[0]
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Using IPsec SA configuration: 192.168.101.0/24<->192.168.100.0/24
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel external.domain.com->192.168.101.1 with spi=228163318(0xd997ef6)
Sun Dec 22 12:27:38 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel 192.168.101.1->external.domain.comwith spi=2470161521(0x933bac71)
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Using IPsec SA configuration: 192.168.101.0/24<->192.168.100.0/24
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Configuration found for external.domain.com.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Configuration found for external.domain.com.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Initiating new phase 1 negotiation: 77.88.84.162[500]<=>external.domain.com[500]
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Beginning Aggressive mode.
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  NAT-Traversal is Enabled
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 4
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 8
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 9
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received Vendor ID: DPD
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Received unknown Vendor ID
Sun Dec 22 12:27:47 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA established for local.domain.com[500]-external.domain.com[500] with spi:312ac89d65dbffd0:8f42567138472a90
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Initiating new phase 2 negotiation:local.domain.com[0]<=>195.159.200.62[0]
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] WARNING:  attribute has been modified.
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel external.domain.com->local.domain.com with spi=129691023(0x7baed8f)
Sun Dec 22 12:27:48 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  IPsec-SA established: ESP/Tunnel local.domain.com->external.domain.com with spi=2127203659(0x7eca8d4b)
Sun Dec 22 12:28:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
Sun Dec 22 12:28:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Purged IPsec-SA with proto_id=ESP and spi=2470161521(0x933bac71).
Sun Dec 22 12:30:12 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=ecf7bd7c5ac1d891:50b170a5ff716aa0.
Sun Dec 22 12:30:13 2013 (GMT +0200): [Moss-ROUTER] [IKE] INFO:  ISAKMP-SA deleted for 192.168.101.1[500]-external.domain.com[500] with
spi:ecf7bd7c5ac1d891:50b170a5ff716aa0

Something is wrong, and most likely is something we have in our configuration but hopefully some of you have tested this before and have some tips for us.

Best Regards,
Thomas
0
thbor83
Asked:
thbor83
  • 6
  • 5
1 Solution
 
JohnBusiness Consultant (Owner)Commented:
I have not tried this connection so I do not know for sure what the issue is.

On both ends, make sure Main or Aggressive mode is set the same.

Then down in the Advanced setup of the RV180 tunnel, select (check) Keep-Alive, NAT Traversal, and Dead Peer Detect.

See if those settings help.

.... Thinkpads_User
0
 
thbor83Author Commented:
Thinkpads_user,

Thanks for your suggestions, I changed "Dead Peer Detect" on again since I tried to turn it off to see if it made any difference.

But the choices Keep-Alice, NAT Traversal doesn't seem to be a valid choice on RV180W that I have.

See attached image.

Both sites is now set to "Aggressive" tried "main" earlier today but no difference.

Best Regards,
Thomas BIKE Policy Table - RV180W
0
 
JohnBusiness Consultant (Owner)Commented:
Your options are more limited than on my RV042G.

Where you have Fully Qualified Domain Name for the remote end, Try IP address. The fact that you can make a tunnel and not pass data may have to do with DNS.  Using IP addresses usually gets around this.

... Thinkpads_User
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
thbor83Author Commented:
Sorry, should have said that in the first post. I uses IP addresses instead of fqdn but changed the logs to dns names before I posted here.

So external.domain.com is actually a IP address, have done this on both sides.
Yes, it seems that RV180W is more limited than your RV042G, but according to the logs NAT Traversal is enabled by default.

Best Regards,
Thomas B
0
 
JohnBusiness Consultant (Owner)Commented:
Try putting the server and other resource names in your hosts file on the RV180W end.

So:  192.168.0.10x  Servername  # Descriptive Comment

See if using the Hosts file helps pass data.

.... Thinkpads_User
0
 
thbor83Author Commented:
That didn't work, I guess that wouldn't work anyway since I can't ping ip's either.

None of the logs give any errors when I try to ping but I can't ping.
Did a tracert on both sides, and it gives this output:

tracert 192.168.101.1

Tracing route to 192.168.101.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Apperantly it seems like it's not going through the VPN connection at all.

Best Regards,
Thomas B
0
 
JohnBusiness Consultant (Owner)Commented:
First, I have probably offered you what I know in an effort to help.

Next, please allow me to offer my own site to site settings that are working (4 clients, Juniper and Cisco at the remote ends, Cisco RV042G in my home office).

I use IP Only Local and Remote. Both ends should have the external IP as part of the setup. Make sure your subnet mask is set to 255.255.255.0 for your setup.

I use IKE with Preshared key. Make sure the key is the same both ends.

I use DH Group 2 (not 1), DES (and sometimes 3DES), and SHA1 for both phases. The important thing is that they match both ends.

Make sure your SA life is long enough (28,800 seconds phase 1 and 3600 seconds phase 2).

I do not use Aggressive Mode normally, that is, I use Main Mode normally.

I have a split DNS variable but it is not used.

That is probably all I can offer.  Perhaps someone else will look later today.

.... Thinkpads_User
0
 
thbor83Author Commented:
Thanks for your help Thinpads_user, I have also the same settings set on my zywall and cisco, except some differences from your setup.

I have several sites working other places, and one connection to Site A from one software vendor. But the cisco RV180W is the only one I haven't been able to connect with.

Again thanks for your help so far :)
Hopefully someone has tried this or has some suggestion on what i might be. I will see if I can try with another cisco box I think I have located at the office to see if it's is only the RV180W that doesn't work.

Best Regards,
Thomas B
0
 
JohnBusiness Consultant (Owner)Commented:
Please let us know about the other Cisco box and if it works.

... Thinkpads_User
0
 
thbor83Author Commented:
Sorry for the late update on this post. I wasn't able to resolve the problem with the cisco router so I ordered a new zyxel USG 20W and then it worked like a charm.

So apperantly cisco RV180W doesn't work with zyxel zywall 5 for connecting network through vpn.

Thanks for all your help.
0
 
thbor83Author Commented:
Since the solution was to buy a new router and configure this my solution was the correct one, but all help from the experts was very good.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now