ShrewSoft VPN Client and Cisco RV042G

I have a Cisco RV042G that I configured Group VPN through with the following settings per my screenshot and under Advanced, also have Keep-Alive, NetBIOS Broadcast, and NAT Traversal all checked.
Cisco RV042G Screenshot
In ShrewSoft's VPN client, I have everything matching and I've triple-verified as well as followed multiple online links. For some reason when I connect, I get the tunnel enabled but can't do anything on the Remote LAN. All I get is failed security associations and I have no idea why.

Anybody have any recommendations?
Joe LoweAsked:
Who is Participating?
 
Joe LoweAuthor Commented:
Update - I reached out to NCP support and verified all settings were correct but I failed to have the Policy Lifetime settings adjusted from default. I would have never thought that would have halted a successful connection. Since I got that working, I figured I revisit Shrew Soft since it's free. After reviewing my settings again, I toggled the PFC Exchange setting under phase to Group 2 which was called something completely different on the router. After changing that from Disabled to Group 2, I had a successful connection. So my problem has officially been solved! Thanks all!
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Do you have any clue whether P1 or P2 is failing?
Have you used the trace utility with a reasonable trace level to get hints?
0
 
JohnBusiness Consultant (Owner)Commented:
Turn PFS OFF . It should be OFF with DH Group 2 .  Make sure under advanced settings that Mode is set to Aggressive and not Main. Try these two settings.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
Joe LoweAuthor Commented:
When I use the VPN Trace utility, I don't see any P1 or P2 failures. I'd see them under the Security Associations tab right?
Also, I do have PFS off and Aggressive Mode is set by default with the Group VPN setting.
0
 
Joe LoweAuthor Commented:
The link I am currently working off of is this one:
https://www.shrew.net/support/Howto_Linksys
0
 
JohnBusiness Consultant (Owner)Commented:
Also try setting NAT Traversal each way to see if one way works
0
 
Joe LoweAuthor Commented:
Looks like toggling NAT Traversal didn't help. Still no luck. Just Failed Security Associations and no network access. It says I'm connected but that's it. The router doesn't show I'm connected so I'm not sure how that is either.
0
 
JohnBusiness Consultant (Owner)Commented:
Thanks for the update. Our work with Shrew Soft and our VPN Routers (Cisco like yours and Juniper) have not met expectations from our clients.

Accordingly we now use NCP Secure Entry for all clients for all VPN access. Bomb proof and worth the money. Clients want stuff that works and "free" does not cut it if expectations are not met.

NCP is at www.ncp-e.com
0
 
Joe LoweAuthor Commented:
I agree with you there.

I'm interested in trying NCP. I have downloaded it but am getting an IKE(phase2) - Waiting for Msg 2. I thought I had adjusted the correct setting but still getting the error. Which setting do I need to adjust for that?
0
 
JohnBusiness Consultant (Owner)Commented:
Here is a complete set of working settings for NCP.  Note that you have to use the Policy Editor in NCP to set the Phase 1 and 2 settings. According to your message above, this is where the error might lie (not setting up the policies)


Basic Settings:
--------------
Profile Name
Check VPN Connection to IPSec Gateway
Connection Medium <- Automatic

Line Management:
----------------
Connection Mode <- Manual
Inactivity Timeout <- 6000
Voip <- uncheck
ISDN section <- N/A
Pre-Authentication <- both unchecked

IPSec General Settings:
-----------------------
Gateway (Tunnel Endpoint) <- Remote site External IP (216.xxx.xxx.xxx)
IKE Policy <- PSK-DES-SHA-DH2  (Phase 1 set in the Policy Editor and must match your Netscreen)
IPSec Policy <- ESP-DES-SHA (Phase 2 set in Policy Editor and must match your Netscreen)
Exch Mode <- Aggressive
PFS Group <- None

Advanced IPSec:
---------------
IPSec Compression <- unchecked
Disable Dead Peer Detection <- unchecked
Standard IPSec <- Checked
UDP Encapsulation <- unchecked
VPN Path Finder <- unchecked

Identities:
-----------
Type <- Fully Qualified Username (what I use)
ID <- me@domain.com (I use email address for FQ username; it does not have to be real)
Pre-Shared Key <- Fill in twice (as demanded by Phase 1 setting)
Certificate <- None (I do not use these)
XAUTH <- Unchecked (my setup)

IPSec Address Assignment:
-------------------------
Assign Private IP Address <- Local IP Address (0.0.0.0)
DNS / WINS Server <- Uncheck (in my setup)

Split Tunneling:
----------------
Remote Network IP (192.168.111.0) Remote Network Mask (255.255.255.0) <- This is the remote end addressing

Certificate Check:
------------------
Not used

Link Firewall:
--------------
Not Used
0
 
Joe LoweAuthor Commented:
Okay so I have followed your settings excluding the Policy ones I matched per the router, but for some reason still get the same error? This is very strange to me.
0
 
JohnBusiness Consultant (Owner)Commented:
Here are the policy settings. You need to set these. If you have, and are on different subnets, and still have issues. you can contact NCP Support. They are very good at getting people connected and they helped me.

NCP-Policies
0
 
Joe LoweAuthor Commented:
Looks like I may have to reach out to their support. Another question for you, on the IPsec Address Assignment tab, I have matched what you put on the local IP address and leaving the DNS/WINS box unchecked. I wanted to ask though if the subnet I'm on (before connecting to VPN), is different than the Remote LAN, will that cause any problems? Same goes for DNS, will having it unchecked cause any issues?
0
 
JohnBusiness Consultant (Owner)Commented:
For the clients I have and my own use, I have found it simpler to use the HOSTS file.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Keeping DNS and WINS unchecked means there is no name resolution for the remote network, and you'll either have to use a HOSTS file, as John mentioned, or IP addresses, which is usually cumbersome if having more than one machine to reach.

Checking DNS and/or WINS will redirect all DNS/WINS queries to the VPN gateway. If the VPN client machine does not need to have own DNS, that is there is no real network with resources you need to access while on VPN, this works good. But remember that *all* DNS queries will then have to pass the VPN, adding some delay.
0
 
Joe LoweAuthor Commented:
Thanks, that makes a lot of sense. I'll await to hear from Support and update you guys on the finding.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Seems you chose a wrong comment as answer - I know I provided some info, but this was not related to the issue at hand. If you like, I (being a Topic Advisor) will re-open the question to allow you to accept different comments.
0
 
Joe LoweAuthor Commented:
Sure.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Recommended close:
  #a42394729    since that lead to using NCP for troubleshooting, even if not keeping NCP
  #a42397234    as solution
0
 
Joe LoweAuthor Commented:
This worked great for me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.