Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
1
Replies

cisco and linksys rv042 vpn issues

mladentsvetkov
Level 1
Level 1

‎12-13-2007 12:46 AM - edited ‎02-21-2020 03:26 PM

Hi,

Would you please help me on this issue?

I have to configure a site-to-site VPN b/w cisco 3725 and linksys rv042 routers.

Phase 1 and Phase 2 are OK (I have verified this with the show crypto ... comands on the cisco and the log on the linksys). The problem is that no traffic is passing through the encrypted tunnel. The DPD messages sent between the routers are not reaching their destination, so the SA are renegotiated all the time.

I consider that phase 1, phase 2, ACL (allowing esp, ike, etc) are OK, because clearly the SAs are successfully negotiated.

On the remote site, the linksys router is installed. It is connecting to the central site (where the cisco is installed) through the Internet by another linksys router with 3G wireless card. Topology:

(liksys)---(3G router)---(Internet)---(cisco)

I have tested the vpn b/w the linksys and the cisco by connecting them directly with a ethernet cable and everything was ok.

Any ideas about the MTU or the DPD messages that could cause the problem when using the Internet?

Thanks in advance,

Mladen

Labels:
0 Helpful
1 Reply 1

mladentsvetkov
Level 1
Level 1

‎12-13-2007 07:05 AM

Hi,

Further troubleshooting indicated the following:

The "debug ip packet" command returned the following output:

*****************

Dec 13 14:01:23.892: IP: tableid=0, s=lin.lin.lin.lin (FastEthernet0/0.3), d=cis.cis.cis.cis (FastEthernet0/0.3), routed via RIB

Dec 13 14:01:23.892: IP: s=lin.lin.lin.lin (FastEthernet0/0.3), d=cis.cis.cis.cis (FastEthernet0/0.3), len 112, rcvd 3

Dec 13 14:01:23.892: UDP src=500, dst=500

Dec 13 14:01:23.896: IP: tableid=0, s=cis.cis.cis.cis (local), d=lin.lin.lin.lin (FastEthernet0/0.3), routed via FIB

Dec 13 14:01:23.896: IP: s=cis.cis.cis.cis (local), d=lin.lin.lin.lin (FastEthernet0/0.3), len 120, sending

Dec 13 14:01:23.896: UDP src=500, dst=500

Dec 13 14:01:23.896: IP: s=cis.cis.cis.cis (local), d=lin.lin.lin.lin (FastEthernet0/0.3), len 120, encapsulation failed

*****************

Where "lin" is the outside IP address of the service provider from the remote linksys router and "cis" is the real IP address of the central cisco router.

The output is generated when the linksys router was sending DPD messages. As you can see, the cisco router is failing to send encrypted packets to the linksys router and says "encapsulation failed".

I have tried with ESP-DES, ESP-3DES, ESP-NULL, AH and the result was still the same.

Also, I have tried to connect to the central router with easy vpn client, installed on a workstation on the linksys router inside lan interface and it was working fine. Topology:

(PC+cisco_vpn_client)---(liksys)---(3G router)---(Internet)---(cisco)

Apparently, the IPSec encrypted traffic is OK through the 3G network and the Internet. So, the problem is when I try to terminate the site-to-site VPN on the VPN router.

Do you have any idea about the "encapsulation failed" message in the "debug ip packet" command?

Thanks in advance,

Mladen

0 Helpful
Customers Also Viewed These Support Documents