Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

RV042 second VPN gateway not connecting

Posted on 2014-11-20
5
Medium Priority
?
585 Views
Last Modified: 2014-11-21
I have a main office and 2 branches. I'm trying to connect the branches with the main office using VPN.
On the main office I have a Cisco RV042, on the branches Cisco RV180.
The main office internal IP class is 192.168.1.x, one of the branches has 192.168.2.x and the other 192.168.3.x.

I created a tunnel for the first branch. It connects, I can ping and access shares on the computers over VPN.

I created the second tunnel on the RV042, changing only the public and private IP of the second branch. Basically changed 192.168.2.0 with 192.168.3.0 and the public IP 1.2.3.4 with 1.2.3.5.

Configured the second RV180 with the identical settings as the RV180 from the first branch (changing IPs, of course).

The second tunnel does not work. Here is the log from the RV042:
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.5:4500
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===10.11.12.13:4500...1.2.3.4:4500[@domain.neat-url.com]===192.168.3.0/24
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Nov 20 19:09:05 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
Nov 20 19:08:33 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500
Nov 20 19:08:33 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:33 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:24 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500
Nov 20 19:08:24 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:24 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:14 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500
Nov 20 19:08:14 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:14 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd4174825 (perhaps this is a duplicated packet)
Nov 20 19:08:10 2014	VPN Log	(g2gips0)[1] 1.2.3.5:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 1.2.3.5:4500

Open in new window

And here is the log from the RV180:
Thu Nov 20 19:05:21 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:23 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:26 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:27 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:32 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:33 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:37 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:37 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:44 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:47 2014 (GMT +0200): [router2] [IKE] INFO:  Failed 1 of 3 times to get DPD R-U-THERE-ACK from peer "10.11.12.13[4500]"
Thu Nov 20 19:05:47 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:47 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:52 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:05:54 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:05:57 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:02 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:05 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:06:07 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:07 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:06:12 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:14 2014 (GMT +0200): [router2] [IKE] ERROR:  Unknown notify message from 10.11.12.13[4500].No phase2 handle found.
Thu Nov 20 19:06:17 2014 (GMT +0200): [router2] [IKE] ERROR:  Phase 2 negotiation failed due to time up. e3a7bae37c872080:46238ea9527f4696:000083a4
Thu Nov 20 19:06:17 2014 (GMT +0200): [router2] [IKE] INFO:  an undead schedule has been deleted: 'quick_i1prep'.
Thu Nov 20 19:06:17 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:23 2014 (GMT +0200): [router2] [IKE] INFO:  Sending Informational Exchange: notify payload[10381]
Thu Nov 20 19:06:24 2014 (GMT +0200): [router2] [IKE] ERROR:  Phase 2 negotiation failed due to time up. e3a7bae37c872080:46238ea9527f4696:000082ea

Open in new window


Any ideas on what could be wrong? I've already spent 3 hours on this and can't find anything wrong in the configuration.

Thank you
0
Comment
Question by:Dan Craciun
  • 3
  • 2
5 Comments
 
LVL 72

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 40457227
INVALID_ID_INFORMATION is the start of the issue. There should be a message prior to that, displaying which ID is used. See if you used something to identify the remote end (Local ID, Remote ID) - this needs to be different in both tunnels.
0
 
LVL 35

Author Comment

by:Dan Craciun
ID: 40457266
I think it makes sense...
 
Both branches have DynDNS domains associated, but the root domain is the same: branch1.dydns.com and branch2.dyndns.com.
Could it be that the RV042 is not resolving the second name and uses the same IP, assuming that the same domain should have the same IP?

I'm going to test in a few hours.
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 40457319
No. For identification either the IP or the FQDN are used, or whatever you provided in the Local ID of the VPN initiater (the branch RV).
The two RV180's settings in "Local Group Setup" need to be different, and match the "Remote Group Setup" for the respective tunnel.
0
 
LVL 35

Author Comment

by:Dan Craciun
ID: 40457594
Just tested, and the FQDN was the problem. As soon as I used branch1.dyndns.com and branch2.anotherdyndns.com, the second branch connected without issues.
0
 
LVL 35

Author Closing Comment

by:Dan Craciun
ID: 40457622
Turned out is was a DNS issue. RV042 only resolves once addresses if they belong to the same domain.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question