?
Solved

RV042 VPN gateway no longer working after firmware update

Posted on 2014-11-24
3
Medium Priority
?
913 Views
Last Modified: 2014-12-16
I've encountered a bug in the RV042 firmware that came with my router:
- if I have 2 or more Gateway to Gateway VPN tunnels where
- the authentication is "Dynamic IP + FQDN" and
- 2 or more sites have an address of the form branchname1.domain.com, branchname2.domain.com etc
Then only the first connection was successful.
I had to change the second site's FQDN to branchname2.anotherdomain.com, then all the tunnels were working.

The setup worked for a couple of days, then all the tunnels stopped connecting. I had to make them branchname1.domain.org, branchname2.anotherdomain.notcom, essentially I needed to make all FQDNs have different terminations.

This worked, but judging by the progression, at the end of this week I probably would of needed to change the names to not letters or something.

So I searched for an updated firmware and updated to the latest: v4.2.3.03.

Now none of the VPN tunnels work. This is what I get in the RV042 logs:
Nov 24 20:11:59 2014	VPN Log	(g2gips0)[534] 1.2.3.4: [Tunnel Disconnected] instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Nov 24 20:11:59 2014	VPN Log	packet from 1.2.3.4:500: [Tunnel Authorize Fail] 'g2gips0' forbids connection, cause: Aggressive Mode
Nov 24 20:11:59 2014	VPN Log	(g2gips0)[533] 5.6.7.8: [Tunnel Disconnected] instance with peer 5.6.7.8 {isakmp=#0/ipsec=#0}
Nov 24 20:11:59 2014	VPN Log	packet from 5.6.7.8:500: [Tunnel Authorize Fail] 'g2gips0' forbids connection, cause: Aggressive Mode
Nov 24 20:11:49 2014	VPN Log	(g2gips0)[530] 1.2.3.4: [Tunnel Disconnected] instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Nov 24 20:11:49 2014	VPN Log	packet from 1.2.3.4:500: [Tunnel Authorize Fail] 'g2gips0' forbids connection, cause: Aggressive Mode

Open in new window


Looks like a security issue, but from where?

Thank you.
0
Comment
Question by:Dan Craciun
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40466132
one thing that worked for others was changing the DH group to 2
0
 
LVL 35

Accepted Solution

by:
Dan Craciun earned 0 total points
ID: 40466233
I tried:
DES/MD5/Group1
DES/MD5/Group2
AES128/SHA1/Group1
AES128/SHA1/Group2

The same result.
This looks like a bug to me: the new firmware cannot use Aggressive mode.
I've tried using direct IP authentication and it works without any issues.

Where can I report a bug for Cisco small business routers? I've asked the sales rep that sold the RV042 and the RV180s and he said he's just a salesman and has no idea how to reach Cisco tech support.

Thanks,
Dan
0
 
LVL 35

Author Closing Comment

by:Dan Craciun
ID: 40502227
Probably a bug in firmware. Will try to find where to post bugs at Cisco.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question