ShrewSoft VPN Client and Cisco RV042G

Joe Lowe
Joe Lowe used Ask the Experts™
on
I have a Cisco RV042G that I configured Group VPN through with the following settings per my screenshot and under Advanced, also have Keep-Alive, NetBIOS Broadcast, and NAT Traversal all checked.
Cisco RV042G Screenshot
In ShrewSoft's VPN client, I have everything matching and I've triple-verified as well as followed multiple online links. For some reason when I connect, I get the tunnel enabled but can't do anything on the Remote LAN. All I get is failed security associations and I have no idea why.

Anybody have any recommendations?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Do you have any clue whether P1 or P2 is failing?
Have you used the trace utility with a reasonable trace level to get hints?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Turn PFS OFF . It should be OFF with DH Group 2 .  Make sure under advanced settings that Mode is set to Aggressive and not Main. Try these two settings.

Author

Commented:
When I use the VPN Trace utility, I don't see any P1 or P2 failures. I'd see them under the Security Associations tab right?
Also, I do have PFS off and Aggressive Mode is set by default with the Group VPN setting.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
The link I am currently working off of is this one:
https://www.shrew.net/support/Howto_Linksys
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Also try setting NAT Traversal each way to see if one way works

Author

Commented:
Looks like toggling NAT Traversal didn't help. Still no luck. Just Failed Security Associations and no network access. It says I'm connected but that's it. The router doesn't show I'm connected so I'm not sure how that is either.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Thanks for the update. Our work with Shrew Soft and our VPN Routers (Cisco like yours and Juniper) have not met expectations from our clients.

Accordingly we now use NCP Secure Entry for all clients for all VPN access. Bomb proof and worth the money. Clients want stuff that works and "free" does not cut it if expectations are not met.

NCP is at www.ncp-e.com

Author

Commented:
I agree with you there.

I'm interested in trying NCP. I have downloaded it but am getting an IKE(phase2) - Waiting for Msg 2. I thought I had adjusted the correct setting but still getting the error. Which setting do I need to adjust for that?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Here is a complete set of working settings for NCP.  Note that you have to use the Policy Editor in NCP to set the Phase 1 and 2 settings. According to your message above, this is where the error might lie (not setting up the policies)


Basic Settings:
--------------
Profile Name
Check VPN Connection to IPSec Gateway
Connection Medium <- Automatic

Line Management:
----------------
Connection Mode <- Manual
Inactivity Timeout <- 6000
Voip <- uncheck
ISDN section <- N/A
Pre-Authentication <- both unchecked

IPSec General Settings:
-----------------------
Gateway (Tunnel Endpoint) <- Remote site External IP (216.xxx.xxx.xxx)
IKE Policy <- PSK-DES-SHA-DH2  (Phase 1 set in the Policy Editor and must match your Netscreen)
IPSec Policy <- ESP-DES-SHA (Phase 2 set in Policy Editor and must match your Netscreen)
Exch Mode <- Aggressive
PFS Group <- None

Advanced IPSec:
---------------
IPSec Compression <- unchecked
Disable Dead Peer Detection <- unchecked
Standard IPSec <- Checked
UDP Encapsulation <- unchecked
VPN Path Finder <- unchecked

Identities:
-----------
Type <- Fully Qualified Username (what I use)
ID <- me@domain.com (I use email address for FQ username; it does not have to be real)
Pre-Shared Key <- Fill in twice (as demanded by Phase 1 setting)
Certificate <- None (I do not use these)
XAUTH <- Unchecked (my setup)

IPSec Address Assignment:
-------------------------
Assign Private IP Address <- Local IP Address (0.0.0.0)
DNS / WINS Server <- Uncheck (in my setup)

Split Tunneling:
----------------
Remote Network IP (192.168.111.0) Remote Network Mask (255.255.255.0) <- This is the remote end addressing

Certificate Check:
------------------
Not used

Link Firewall:
--------------
Not Used

Author

Commented:
Okay so I have followed your settings excluding the Policy ones I matched per the router, but for some reason still get the same error? This is very strange to me.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Here are the policy settings. You need to set these. If you have, and are on different subnets, and still have issues. you can contact NCP Support. They are very good at getting people connected and they helped me.

NCP-Policies

Author

Commented:
Looks like I may have to reach out to their support. Another question for you, on the IPsec Address Assignment tab, I have matched what you put on the local IP address and leaving the DNS/WINS box unchecked. I wanted to ask though if the subnet I'm on (before connecting to VPN), is different than the Remote LAN, will that cause any problems? Same goes for DNS, will having it unchecked cause any issues?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
For the clients I have and my own use, I have found it simpler to use the HOSTS file.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Keeping DNS and WINS unchecked means there is no name resolution for the remote network, and you'll either have to use a HOSTS file, as John mentioned, or IP addresses, which is usually cumbersome if having more than one machine to reach.

Checking DNS and/or WINS will redirect all DNS/WINS queries to the VPN gateway. If the VPN client machine does not need to have own DNS, that is there is no real network with resources you need to access while on VPN, this works good. But remember that *all* DNS queries will then have to pass the VPN, adding some delay.

Author

Commented:
Thanks, that makes a lot of sense. I'll await to hear from Support and update you guys on the finding.
Commented:
Update - I reached out to NCP support and verified all settings were correct but I failed to have the Policy Lifetime settings adjusted from default. I would have never thought that would have halted a successful connection. Since I got that working, I figured I revisit Shrew Soft since it's free. After reviewing my settings again, I toggled the PFC Exchange setting under phase to Group 2 which was called something completely different on the router. After changing that from Disabled to Group 2, I had a successful connection. So my problem has officially been solved! Thanks all!
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Seems you chose a wrong comment as answer - I know I provided some info, but this was not related to the issue at hand. If you like, I (being a Topic Advisor) will re-open the question to allow you to accept different comments.

Author

Commented:
Sure.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Recommended close:
  #a42394729    since that lead to using NCP for troubleshooting, even if not keeping NCP
  #a42397234    as solution

Author

Commented:
This worked great for me.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial