Link to home
Start Free TrialLog in
Avatar of Joe Lowe
Joe LoweFlag for United States of America

asked on

ShrewSoft VPN Client and Cisco RV042G

I have a Cisco RV042G that I configured Group VPN through with the following settings per my screenshot and under Advanced, also have Keep-Alive, NetBIOS Broadcast, and NAT Traversal all checked.
User generated image
In ShrewSoft's VPN client, I have everything matching and I've triple-verified as well as followed multiple online links. For some reason when I connect, I get the tunnel enabled but can't do anything on the Remote LAN. All I get is failed security associations and I have no idea why.

Anybody have any recommendations?
Avatar of Qlemo
Flag of Germany image

Do you have any clue whether P1 or P2 is failing?
Have you used the trace utility with a reasonable trace level to get hints?
Turn PFS OFF . It should be OFF with DH Group 2 .  Make sure under advanced settings that Mode is set to Aggressive and not Main. Try these two settings.
Avatar of Joe Lowe


When I use the VPN Trace utility, I don't see any P1 or P2 failures. I'd see them under the Security Associations tab right?
Also, I do have PFS off and Aggressive Mode is set by default with the Group VPN setting.
The link I am currently working off of is this one:
Also try setting NAT Traversal each way to see if one way works
Looks like toggling NAT Traversal didn't help. Still no luck. Just Failed Security Associations and no network access. It says I'm connected but that's it. The router doesn't show I'm connected so I'm not sure how that is either.
Avatar of John
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I agree with you there.

I'm interested in trying NCP. I have downloaded it but am getting an IKE(phase2) - Waiting for Msg 2. I thought I had adjusted the correct setting but still getting the error. Which setting do I need to adjust for that?
Here is a complete set of working settings for NCP.  Note that you have to use the Policy Editor in NCP to set the Phase 1 and 2 settings. According to your message above, this is where the error might lie (not setting up the policies)

Basic Settings:
Profile Name
Check VPN Connection to IPSec Gateway
Connection Medium <- Automatic

Line Management:
Connection Mode <- Manual
Inactivity Timeout <- 6000
Voip <- uncheck
ISDN section <- N/A
Pre-Authentication <- both unchecked

IPSec General Settings:
Gateway (Tunnel Endpoint) <- Remote site External IP (
IKE Policy <- PSK-DES-SHA-DH2  (Phase 1 set in the Policy Editor and must match your Netscreen)
IPSec Policy <- ESP-DES-SHA (Phase 2 set in Policy Editor and must match your Netscreen)
Exch Mode <- Aggressive
PFS Group <- None

Advanced IPSec:
IPSec Compression <- unchecked
Disable Dead Peer Detection <- unchecked
Standard IPSec <- Checked
UDP Encapsulation <- unchecked
VPN Path Finder <- unchecked

Type <- Fully Qualified Username (what I use)
ID <- (I use email address for FQ username; it does not have to be real)
Pre-Shared Key <- Fill in twice (as demanded by Phase 1 setting)
Certificate <- None (I do not use these)
XAUTH <- Unchecked (my setup)

IPSec Address Assignment:
Assign Private IP Address <- Local IP Address (
DNS / WINS Server <- Uncheck (in my setup)

Split Tunneling:
Remote Network IP ( Remote Network Mask ( <- This is the remote end addressing

Certificate Check:
Not used

Link Firewall:
Not Used
Okay so I have followed your settings excluding the Policy ones I matched per the router, but for some reason still get the same error? This is very strange to me.
Here are the policy settings. You need to set these. If you have, and are on different subnets, and still have issues. you can contact NCP Support. They are very good at getting people connected and they helped me.

User generated image
Looks like I may have to reach out to their support. Another question for you, on the IPsec Address Assignment tab, I have matched what you put on the local IP address and leaving the DNS/WINS box unchecked. I wanted to ask though if the subnet I'm on (before connecting to VPN), is different than the Remote LAN, will that cause any problems? Same goes for DNS, will having it unchecked cause any issues?
For the clients I have and my own use, I have found it simpler to use the HOSTS file.
Keeping DNS and WINS unchecked means there is no name resolution for the remote network, and you'll either have to use a HOSTS file, as John mentioned, or IP addresses, which is usually cumbersome if having more than one machine to reach.

Checking DNS and/or WINS will redirect all DNS/WINS queries to the VPN gateway. If the VPN client machine does not need to have own DNS, that is there is no real network with resources you need to access while on VPN, this works good. But remember that *all* DNS queries will then have to pass the VPN, adding some delay.
Thanks, that makes a lot of sense. I'll await to hear from Support and update you guys on the finding.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Seems you chose a wrong comment as answer - I know I provided some info, but this was not related to the issue at hand. If you like, I (being a Topic Advisor) will re-open the question to allow you to accept different comments.
Recommended close:
  #a42394729    since that lead to using NCP for troubleshooting, even if not keeping NCP
  #a42397234    as solution
This worked great for me.