Setting up a client-to-site VPN on my Cisco RV340W router
I'm setting up a VPN for the first time and could use some help. I've got a new Cisco RV340W router, and I'd like for clients to be able to connect to the network using the VPN client built-in to Win10 using a pre-shared key.
This is a little more involved than I had anticipated and my attempted connections seem to timeout with the following error message:
My setup is as follows: I have my home router connected to the internet and the Cisco is connected from its WAN1 port to a LAN port on my home router (for bench testing purposes). I am attempting VPN connections via my home network. Eventually, the Cisco router will be installed to a different, permanent location on a different ISP connection.
On my Win10 computer
Server address: 192.168.0.45 (the IP address assigned by my home router to the Cisco
VPN type: L2TP/Isec with pre-shared key
Preshared key: ****
Type of sign-in info: username and password
Username: ****
Password: ****
Data encryption: require encryption
Authentication: Allow Unencrypted password, Microsoft CHAP Version 2
On the router:
I've created my own IPSec profile called L2TP
keying mode: Auto
ike version: IKEv1
Phase I options
dh group: group2 - 1024 bit
encryption: 3des
authentication: sha1
sa lifetime: 28800
Phase II options
protocol selection: esp
encryption: 3des
authentication: sha1
sa lifetime: 3600
perfect forward secrecy: enabled
dh group: group2 - 1024 bit
L2TP Server
l2tp server: on
mtu: 1400
ip address range: 192.168.25.2 to 192.168.25.200 (unclear what this is for as there's a pool range for the tunnel config)
dns 1&2 ip address: blank
user authentication: admin, guest
ipsec: on
ipsec profile: L2TP (as defined above)
pre-shared key: ****
Client to Site
tunnel name: test
3rd party client
enable: yes
interface: wan 1
ike authentication preshared key: ****
local identifier: Local WAN IP - 192.168.0.45
remote identifier: ip address - (my external ip from my home network) [tbh, I'm not sure what this is, or if this is what I should plug for it]
extended authentication: admin, guest
pool range for client lan: 192.168.20.1 to 192.168.20.100
ipsec profile: L2TP
remote endpoint: dynamic IP
local IP type: any
This is a little more involved than I had anticipated and my attempted connections seem to timeout with the following error message:
"The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer."
My setup is as follows: I have my home router connected to the internet and the Cisco is connected from its WAN1 port to a LAN port on my home router (for bench testing purposes). I am attempting VPN connections via my home network. Eventually, the Cisco router will be installed to a different, permanent location on a different ISP connection.
On my Win10 computer
Server address: 192.168.0.45 (the IP address assigned by my home router to the Cisco
VPN type: L2TP/Isec with pre-shared key
Preshared key: ****
Type of sign-in info: username and password
Username: ****
Password: ****
Data encryption: require encryption
Authentication: Allow Unencrypted password, Microsoft CHAP Version 2
On the router:
I've created my own IPSec profile called L2TP
keying mode: Auto
ike version: IKEv1
Phase I options
dh group: group2 - 1024 bit
encryption: 3des
authentication: sha1
sa lifetime: 28800
Phase II options
protocol selection: esp
encryption: 3des
authentication: sha1
sa lifetime: 3600
perfect forward secrecy: enabled
dh group: group2 - 1024 bit
L2TP Server
l2tp server: on
mtu: 1400
ip address range: 192.168.25.2 to 192.168.25.200 (unclear what this is for as there's a pool range for the tunnel config)
dns 1&2 ip address: blank
user authentication: admin, guest
ipsec: on
ipsec profile: L2TP (as defined above)
pre-shared key: ****
Client to Site
tunnel name: test
3rd party client
enable: yes
interface: wan 1
ike authentication preshared key: ****
local identifier: Local WAN IP - 192.168.0.45
remote identifier: ip address - (my external ip from my home network) [tbh, I'm not sure what this is, or if this is what I should plug for it]
extended authentication: admin, guest
pool range for client lan: 192.168.20.1 to 192.168.20.100
ipsec profile: L2TP
remote endpoint: dynamic IP
local IP type: any
ASKER
Ok, I've gotten the home router to IP passthrough to the Cisco, allowing the Cisco to pick up its own external IP address, and I've updated the connection address for my Win10 VPN connection details, but getting the same error message 🙁.
I'm not very familiar with that firewall, but I'd be looking for a log that shows you each step of the process. You may need to enable detailed logging (until you get this resolved) to see everything.
"On my Win10 computer
Server address: 192.168.0.45 (the IP address assigned by my home router to the Cisco "
I overlooked this. This is also a problem. Your home computer needs to point to the WAN address on your Cisco to get to it. Is that what you changed with ".. I've updated the connection address..."?
Another simple test is to enable Ping responses on the Cisco and see if you can successfully ping it from an external computer.
"allowing the Cisco to pick up its own external IP address "
That implies to me that you have a dynamic (not static) IP address. While that will work, it will fail when the IP address changes.
Did you confirm that the external IP address for the Cisco is a public one (i.e. not 192.168.x.x, 10.x.x.x, 172.x.x.x)?
"On my Win10 computer
Server address: 192.168.0.45 (the IP address assigned by my home router to the Cisco "
I overlooked this. This is also a problem. Your home computer needs to point to the WAN address on your Cisco to get to it. Is that what you changed with ".. I've updated the connection address..."?
Another simple test is to enable Ping responses on the Cisco and see if you can successfully ping it from an external computer.
"allowing the Cisco to pick up its own external IP address "
That implies to me that you have a dynamic (not static) IP address. While that will work, it will fail when the IP address changes.
Did you confirm that the external IP address for the Cisco is a public one (i.e. not 192.168.x.x, 10.x.x.x, 172.x.x.x)?
ASKER
Server address: 192.168.0.45 (the IP address assigned by my home router to the Cisco "Yes, the IP address at the time had been 192.168.0.45 as assigned by my home router. Now that it's got an external IP address 70.68.**.**, I've updated my connection address on the computer I'm trying to connect with.
I overlooked this. This is also a problem. Your home computer needs to point to the WAN address on your Cisco to get to it. Is that what you changed with ".. I've updated the connection address..."?
I haven't managed to find the ICMP enable on the Cisco switch, but I've run a WireShark capture during the VPN connection attempt and the external IP address associated with the Cisco WAN seems to respond with packets in ISAKMP protocol.
With respect to the dynamic IP address, this is fine, as it's just my test setup currently. I won't know the static IP at the permanent location til I get there.
ASKER
Do the VPN server settings seem more-or-less correct to you? To be honest, I don't understand what many of them are and have either selected something arbitrarily or left as default.
ASKER
I've also enabled debug logging and then initiated a VPN connection attempt. Having never read one of these before, I can't tell which lines are typical or atypical. See attached log - I've sanitized the last 2 parts of the IP addresses and replaced with CLIENT and ROUTER for those devices respectively.
RV340W_syslog_2021-06-02_19-59-42.log.txt
RV340W_syslog_2021-06-02_19-59-42.log.txt
I'm somewhat weak on troubleshooting IPSec VPNs. I've spent most of my time on OpenVPN, which tends to be much simpler to implement. There are others on EE who should be able to be more help.
This seems significant to me (read from bottom to top):
What subnet is being used on the Windows 10 computer? If it is the same 192.168.0.x subnet, that will be a problem, though I'd expect different errors than you are getting. Just be aware of that when you move it.
This seems significant to me (read from bottom to top):
2021-06-02T19:58:32-08:00 <info>charon: 14[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
2021-06-02T19:58:32-08:00 <info>charon: 14[IKE] received 250000000 lifebytes, configured 0
2021-06-02T19:58:32-08:00 <info>charon: 14[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
2021-06-02T19:58:32-08:00 <info>charon: 14[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQWhat subnet is being used on the Windows 10 computer? If it is the same 192.168.0.x subnet, that will be a problem, though I'd expect different errors than you are getting. Just be aware of that when you move it.
ASKER
Definitely already configured to be on different subnets! 🙂
As for the proposals vs configured, that definitely sounds promising. Here's the configuration page on the Cisco for the IPSec profile I'm using.
On the other end, I couldn't find a place in the Windows 10 built-in VPN client to specify that modp_1024 or DH group. Any thoughts?
As for the proposals vs configured, that definitely sounds promising. Here's the configuration page on the Cisco for the IPSec profile I'm using.
On the other end, I couldn't find a place in the Windows 10 built-in VPN client to specify that modp_1024 or DH group. Any thoughts?
Take a look at this for changing the Windows VPN client:
https://serverfault.com/questions/813256/windows-10-built-in-vpn
Is there a VPN client available specifically for the Cisco? If so, I'd give it a try. Even if you don't want to use it, you'll be able to compare logs to confirm that my suspicion about the proposals.
https://serverfault.com/questions/813256/windows-10-built-in-vpn
Is there a VPN client available specifically for the Cisco? If so, I'd give it a try. Even if you don't want to use it, you'll be able to compare logs to confirm that my suspicion about the proposals.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
This is likely your problem. VPN packets are hitting the home router but there's nothing telling it to pass them along to the Cisco.
My preferred solution in order are:
1) Replace the home router with a simple modem, if that's a possibility. Use the Cisco as your router/firewall.
2) Put the home router in a "bridged" or "pass-through" mode where it effectively acts as a modem only. Use the Cisco as your router/firewall.
3) Enable VPN forwarding in the home router, if it supports it.