Solved

Cisco RV320 VPN Connection

Posted on 2016-09-05
21
100 Views
Last Modified: 2016-11-03
Sir,

Im trying to connect our 2 cisco rv320 vpn router but im always geting an error,

[g2gips0]#7: [Tunnel Authorize Fail] malformed payload in packet

already follow the manual for Gateway to Gateway set up

may setup

               Cisco A                                                                              Cisco B
 static local IP--static IP WAN IP ------ web ------ static IP WAN IP --- static local IP

192.168.1.1/24 - - - -122.52.0.0------web--------203.177.0.0 - - - - 192.168.3.1/24

I use keying mode: IKE with Certificate

Hoping you can help me to resolve the error.

Thank you in advance
0
Comment
Question by:Ray Anthony Valencia
  • 11
  • 8
21 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41784605
The first thing to do is enable logging on both units (both ends). Attempt to create a tunnel, look at the logs and determine where the tunnel is failing.

I have site to site (gateway to gateway) tunnels on my RV325 VPN router. They work fine, so there is probably a set up issue. Most set up issues just cause the tunnel not to connect. Malformed packets is another error.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 41785111
Your public IP's appear to be in the Philippines.  Some Asian countries block protocols required to establish an IPsec connection.  I don't know about the Philippines, but countries to your west and north certainly do.  Might that be a possibility.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41785748
Sir John

can you check my setup for SITE A and SITE B

the error i got in the logs is

"kernel: wrong ip[0], not_list[0]"
vpn.xlsx
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41785816
Hi sir Rob


Currently im asking to our ISP here in the Philippines about the IPsec Protocol Blocking.

Waiting for there respond
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points (awarded by participants)
ID: 41785881
In your setup:

1. Check your certificates - I cannot do that. Or, can you try without a certificate. I do not certificates on my setup.
2. Try turning PFS OFF (unselect it) I have never needed to use this.  If you do wish to maintain it, use DH Group 2.
3. Check in Advanced settings that MAIN mode is used (Not Aggressive).
4.. In Advanced settings, try toggling NAT Traversal On and Off.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41785985
Sir John

Many Thanks to your advise it works...

Thank you so much...
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41788934
Sir John

may VPN connection are already running i can ping the gateway of every SITE

but i cannot access our server in SITE B
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41788935
Is the server included in the IP Range of the VPN connection?

Did you try NAT Traversal on and off (both ends)?

What do you see for traffic in the logs?

Can you map a server drive by IP Address?  DNS problem if you can.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41795275
Hi Sir John

Sorry for the long response,

Already Try NAT Traversal On / Off both ends, but still i cant locate our server niether i can ping the ip,

I can only ping the Gateway of the other side but cannot open any shared folder in the network.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points (awarded by participants)
ID: 41795281
Look at these settings (need to adjust for each end)

Description
Tunnel Number 5
Interface on Router WAN 1
Enabled

Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0

Remote Gateway Type: Dyn IP + Email  (or what you need)
Remote IP address or email address  (these two are likely IP for you)
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0

Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
28800 Sec.
PFS OFF

Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key

Advanced
Main Mode (for site to site)
Compress OFF
Keep Alive ON Default
AH Hash (MD5) I have OFF
NetBIOS OFF
Nat Traversal ON or OFF whichever works
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Ray Anthony Valencia
ID: 41869449
Hi Sir John,

Sorry for late respond on your reply, about the setting you gave for the first time i set it to the Cisco rv320, it work fine for a couple of days until  some error occur. see Log Details below,

2016-11-02, 09:36:30      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-02, 09:08:54      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-02, 09:04:08      VPN Log      packet from 216.218.206.106:59955: [Tunnel Authorize Fail] no connection has been authorized
2016-11-02, 08:26:16      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-01, 09:59:31      VPN Log      packet from 216.218.206.114:43940: [Tunnel Authorize Fail] no connection has been authorized
2016-10-31, 09:32:37      VPN Log      packet from 216.218.206.114:13581: [Tunnel Authorize Fail] no connection has been authorized
2016-10-31, 06:33:46      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-10-30, 08:53:38      VPN Log      packet from 216.218.206.122:57900: [Tunnel Authorize Fail] no connection has been authorized
2016-10-29, 15:36:55      VPN Log      packet from 163.172.129.15:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-10-29, 14:32:45      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn_postrouting -o eth0 -s 192.168.5.0/24 -d 192.168.0.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn_postrouting -s 192.168.0.0/24 -d 192.168.5.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn -s 192.168.5.0/24 -d 192.168.0.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      iptables -t nat -D vpn -s 192.168.0.0/24 -d 192.168.5.0/24 -j ACCEPT
2016-10-29, 13:36:24      VPN Log      ip route del 192.168.5.0/24 via 121.58.212.129 dev eth1 metric 35
2016-10-29, 13:36:24      VPN Log      [g2gips0]: cmd=down-client peer=210.4.107.98 peer_client=192.168.5.0/24 peer_client_net=192.168.5.0 peer_client_mask=255.255.255.0
2016-10-29, 13:09:43      VPN Log      [g2gips0] #830: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xca43badb) not found (maybe expired)
2016-10-29, 13:09:43      VPN Log      [g2gips0] #833: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xcf6b7a0b < 0xc188a0c5}
2016-10-29, 12:10:58      VPN Log      [g2gips0] #830: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc8735928) not found (maybe expired)
2016-10-29, 12:10:58      VPN Log      [g2gips0] #832: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xca43badb < 0xca08e424}
2016-10-29, 11:12:06      VPN Log      [g2gips0] #830: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc4745ff8) not found (maybe expired)

Hoping that you can help me again about this problem.

Thank you
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41869451
It appears to be Phase 1 or possibly NAT Traversal errors.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41869453
What should i do sir to resolve the problem
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41869455
Double check the Phase settings (match to each other and at both ends). Try NAT Traversal both ways.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41869495
sir already re Do the setup but still cannot connect may 2 cisco rv320,is there any other way to fix the problem?
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41869497
sir can i ask if what is the meaning of the Logs Details Below

2016-11-02, 10:45:33      Kernel      last message repeated 3 times
2016-11-02, 10:44:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:43:33      Kernel      last message repeated 2 times
2016-11-02, 10:43:03      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:42:42      VPN Log      [g2gips0]: [Tunnel Disconnected]
2016-11-02, 10:42:14      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:41:34      Kernel      last message repeated 3 times
2016-11-02, 10:40:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:39:33      Kernel      last message repeated 3 times
2016-11-02, 10:38:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:37:33      Kernel      last message repeated 3 times
2016-11-02, 10:36:13      VPN Log      packet from 121.58.199.94:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
2016-11-02, 10:35:33      Kernel      last message repeated 3 times
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41869502
Here is a working site-to-site setup on a Cisco RV325 (same box as yours)

Name
1
WAN 1


Local Gateway type IP Only
Local IP Address  x.y.z.t
Local IP Security Group Subnet
192.168.100.0
255.255.255.0

Remote Gateway type IP Only
Remote IP Address x.m.n.p
Remote IP Security Group Subnet
192.168.1.0
255.255.255.0

IKE Pre-share
Group 2
3DES
SHA1
28800 Sec.
PFS no
Group 2
3DES
SHA1
3600 Sec.

Aggressive no (site to site = Main)
Keep Alive yes or no
NAT Traversal yes or no
Dead Peer Detect Yes 10 seconds


Mirror this at the other end.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41869550
sir john,

should i restart the cisco vpn router, i already set up the setting you gave but still it doesn't work
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41869939
Yes you should restart the router. If you have the configuration well documented, you can reset the router to factory settings and set it up again.

Another thing to check is firmware. The firmware for that router is RV32X_v1.3.1.12_20160427-code on the Cisco site.
0
 

Author Comment

by:Ray Anthony Valencia
ID: 41871649
the firm ware for the to rv320  are already updated to its latest version..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now