RV042 second VPN gateway not connecting

I have a main office and 2 branches. I'm trying to connect the branches with the main office using VPN.
On the main office I have a Cisco RV042, on the branches Cisco RV180.
The main office internal IP class is 192.168.1.x, one of the branches has 192.168.2.x and the other 192.168.3.x.

I created a tunnel for the first branch. It connects, I can ping and access shares on the computers over VPN.

I created the second tunnel on the RV042, changing only the public and private IP of the second branch. Basically changed 192.168.2.0 with 192.168.3.0 and the public IP 1.2.3.4 with 1.2.3.5.

Configured the second RV180 with the identical settings as the RV180 from the first branch (changing IPs, of course).

The second tunnel does not work. Here is the log from the RV042:
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.5:4500
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===10.11.12.13:4500...1.2.3.4:4500[@domain.neat-url.com]===192.168.3.0/24
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Nov 20 19:08:33 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500
Nov 20 19:08:33 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:33 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:24 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500
Nov 20 19:08:24 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:24 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:14 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500
Nov 20 19:08:14 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:14 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:10 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500

Open in new window

And here is the log from the RV180:
Thu Nov 20 19:05:21 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:23 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:26 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:27 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:32 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:33 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:37 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:37 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:44 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:47 2014 (GMT +0200): [router2] [IKE] INFO:  Failed 1 of 3 times to get DPD R-U-THERE-ACK from peer "10.11.12.13[4500]"
Thu Nov 20 19:05:47 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:47 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:52 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:54 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:57 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:02 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:05 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:06:07 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:07 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:06:12 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:14 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:06:17 2014 (GMT +0200): [router2] [IKE] ERROR:  Phase 2 negotiation failed due to time up. e3a7bae37c872080:46238ea9527f4696:000083a4
Thu Nov 20 19:06:17 2014 (GMT +0200): [router2] [IKE] INFO:  an undead schedule has been deleted: 'quick_i1prep'.
Thu Nov 20 19:06:17 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:23 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:24 2014 (GMT +0200): [router2] [IKE] ERROR:  Phase 2 negotiation failed due to time up. e3a7bae37c872080:46238ea9527f4696:000082ea

Open in new window


Any ideas on what could be wrong? I've already spent 3 hours on this and can't find anything wrong in the configuration.

Thank you
LVL 35
Dan CraciunIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
INVALID_ID_INFORMATION is the start of the issue. There should be a message prior to that, displaying which ID is used. See if you used something to identify the remote end (Local ID, Remote ID) - this needs to be different in both tunnels.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan CraciunIT ConsultantAuthor Commented:
I think it makes sense...
 
Both branches have DynDNS domains associated, but the root domain is the same: branch1.dydns.com and branch2.dyndns.com.
Could it be that the RV042 is not resolving the second name and uses the same IP, assuming that the same domain should have the same IP?

I'm going to test in a few hours.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
No. For identification either the IP or the FQDN are used, or whatever you provided in the Local ID of the VPN initiater (the branch RV).
The two RV180's settings in "Local Group Setup" need to be different, and match the "Remote Group Setup" for the respective tunnel.
0
Dan CraciunIT ConsultantAuthor Commented:
Just tested, and the FQDN was the problem. As soon as I used branch1.dyndns.com and branch2.anotherdyndns.com, the second branch connected without issues.
0
Dan CraciunIT ConsultantAuthor Commented:
Turned out is was a DNS issue. RV042 only resolves once addresses if they belong to the same domain.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.