Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 962
  • Last Modified:

RV042 VPN gateway no longer working after firmware update

I've encountered a bug in the RV042 firmware that came with my router:
- if I have 2 or more Gateway to Gateway VPN tunnels where
- the authentication is "Dynamic IP + FQDN" and
- 2 or more sites have an address of the form branchname1.domain.com, branchname2.domain.com etc
Then only the first connection was successful.
I had to change the second site's FQDN to branchname2.anotherdomain.com, then all the tunnels were working.

The setup worked for a couple of days, then all the tunnels stopped connecting. I had to make them branchname1.domain.org, branchname2.anotherdomain.notcom, essentially I needed to make all FQDNs have different terminations.

This worked, but judging by the progression, at the end of this week I probably would of needed to change the names to not letters or something.

So I searched for an updated firmware and updated to the latest: v4.2.3.03.

Now none of the VPN tunnels work. This is what I get in the RV042 logs:
Nov 24 20:11:59 2014	VPN Log	(g2gips0)[534] 1.2.3.4: [Tunnel Disconnected] instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Nov 24 20:11:59 2014	VPN Log	packet from 1.2.3.4:500: [Tunnel Authorize Fail] 'g2gips0' forbids connection, cause: Aggressive Mode
Nov 24 20:11:59 2014	VPN Log	(g2gips0)[533] 5.6.7.8: [Tunnel Disconnected] instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}
Nov 24 20:11:59 2014	VPN Log	packet from 5.6.7.8:500: [Tunnel Authorize Fail] 'g2gips0' forbids connection, cause: Aggressive Mode
Nov 24 20:11:49 2014	VPN Log	(g2gips0)[530] 1.2.3.4: [Tunnel Disconnected] instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Nov 24 20:11:49 2014	VPN Log	packet from 1.2.3.4:500: [Tunnel Authorize Fail] 'g2gips0' forbids connection, cause: Aggressive Mode

Open in new window


Looks like a security issue, but from where?

Thank you.
0
Dan Craciun
Asked:
Dan Craciun
  • 2
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
one thing that worked for others was changing the DH group to 2
0
 
Dan CraciunIT ConsultantAuthor Commented:
I tried:
DES/MD5/Group1
DES/MD5/Group2
AES128/SHA1/Group1
AES128/SHA1/Group2

The same result.
This looks like a bug to me: the new firmware cannot use Aggressive mode.
I've tried using direct IP authentication and it works without any issues.

Where can I report a bug for Cisco small business routers? I've asked the sales rep that sold the RV042 and the RV180s and he said he's just a salesman and has no idea how to reach Cisco tech support.

Thanks,
Dan
0
 
Dan CraciunIT ConsultantAuthor Commented:
Probably a bug in firmware. Will try to find where to post bugs at Cisco.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now