Tunnel: 1841 to Linksys WRVS4400N

Unanswered Question
Jan 29th, 2008

I am attempting to connect two offices via IPSec tunnel, my side is using an 1841 with AdvSec package (and existing IPSec tunnels on a different interface) and the other office is using a Linksys WRVS4400N VPN router.

I've got both sides configured properly for the tunnel and can see Phase 1 IKE, but Phase 2 fails. Has anyone successfully used these devices to peer? I am using mostly default values for the setup...3DES, SHA1, DH group 2 etc.

Thanks is advance for the help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Tue, 01/29/2008 - 15:37

The tunnel should work fine between two different VPN Vendors as far as they follow the RFC.

Can you post a copy of current configuration along with "deb cry is" and "deb cry ipsec" outputs, so we can see what is going on.



pondersean Thu, 01/31/2008 - 16:15

Got the tunnel up and talking, the issue was a misconfiguration on the Linksys VPN router. Now that they are talking the Cisco SDM shows the tunnel status as "up", yet I cannot ping any of the hosts on the destination network. When I use the SDM diagnostic tool, it comes back with:

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

I did a search on Google and found a forum post from someone with the same problem...but the last post was from the user, saying "issue resolved it was a routing problem" with no specifics.

Has anyone run into this before?

ajagadee Thu, 01/31/2008 - 19:53

Glad you got the first part working :-)

As far as the traffic is concerned, are you saying that you are not able to even send a ping packet with 100 bytes across the tunnel. It may or may not be a MTU Issue and could be a misconfiguration on the ASA or Linksys. When you try to ping a remote host across the tunnel, what do you see under encrypts and decrypts? Can you post a copy of your configuration along with "show crypto ipsec sa" outputs and also the source and destination IP Addresses of your traffic.



** Please rate all helpful posts **

pondersean Mon, 02/04/2008 - 10:44

As of now, I am unable to ping any host in the destination network ( /24). Nor am I able to ping the inside interface on the destination router ( The other side, however, is able to ping the inside interface on my router ( But they cannot ping any hosts inside my network.

When I run a "sh crypto eng connection active" I can see the encrypt/decrypt happening for each ping they send to my router, but nothing at all when I try to send a ping out.

A "sh crypto isa sa" shows MM_NO_STATE for the tunnel.

On a side note: I also set up a client VPN group on this router. They can connect successfully and ping the router ( but cannot access any inside hosts either. Pings fail, as do any other method of accessing inside hosts when connected successfully via VPN.

I'm sure that I have overlooked something here.

I will post the config shortly.



This Discussion