cisco and linksys rv042 vpn issues

Unanswered Question
Dec 13th, 2007

Hi,

Would you please help me on this issue?

I have to configure a site-to-site VPN b/w cisco 3725 and linksys rv042 routers.

Phase 1 and Phase 2 are OK (I have verified this with the show crypto ... comands on the cisco and the log on the linksys). The problem is that no traffic is passing through the encrypted tunnel. The DPD messages sent between the routers are not reaching their destination, so the SA are renegotiated all the time.

I consider that phase 1, phase 2, ACL (allowing esp, ike, etc) are OK, because clearly the SAs are successfully negotiated.

On the remote site, the linksys router is installed. It is connecting to the central site (where the cisco is installed) through the Internet by another linksys router with 3G wireless card. Topology:

(liksys)---(3G router)---(Internet)---(cisco)

I have tested the vpn b/w the linksys and the cisco by connecting them directly with a ethernet cable and everything was ok.

Any ideas about the MTU or the DPD messages that could cause the problem when using the Internet?

Thanks in advance,

Mladen

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mladentsvetkov Thu, 12/13/2007 - 07:05

Hi,

Further troubleshooting indicated the following:

The "debug ip packet" command returned the following output:

*****************

Dec 13 14:01:23.892: IP: tableid=0, s=lin.lin.lin.lin (FastEthernet0/0.3), d=cis.cis.cis.cis (FastEthernet0/0.3), routed via RIB

Dec 13 14:01:23.892: IP: s=lin.lin.lin.lin (FastEthernet0/0.3), d=cis.cis.cis.cis (FastEthernet0/0.3), len 112, rcvd 3

Dec 13 14:01:23.892: UDP src=500, dst=500

Dec 13 14:01:23.896: IP: tableid=0, s=cis.cis.cis.cis (local), d=lin.lin.lin.lin (FastEthernet0/0.3), routed via FIB

Dec 13 14:01:23.896: IP: s=cis.cis.cis.cis (local), d=lin.lin.lin.lin (FastEthernet0/0.3), len 120, sending

Dec 13 14:01:23.896: UDP src=500, dst=500

Dec 13 14:01:23.896: IP: s=cis.cis.cis.cis (local), d=lin.lin.lin.lin (FastEthernet0/0.3), len 120, encapsulation failed

*****************

Where "lin" is the outside IP address of the service provider from the remote linksys router and "cis" is the real IP address of the central cisco router.

The output is generated when the linksys router was sending DPD messages. As you can see, the cisco router is failing to send encrypted packets to the linksys router and says "encapsulation failed".

I have tried with ESP-DES, ESP-3DES, ESP-NULL, AH and the result was still the same.

Also, I have tried to connect to the central router with easy vpn client, installed on a workstation on the linksys router inside lan interface and it was working fine. Topology:

(PC+cisco_vpn_client)---(liksys)---(3G router)---(Internet)---(cisco)

Apparently, the IPSec encrypted traffic is OK through the 3G network and the Internet. So, the problem is when I try to terminate the site-to-site VPN on the VPN router.

Do you have any idea about the "encapsulation failed" message in the "debug ip packet" command?

Thanks in advance,

Mladen

Actions

This Discussion