Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
5
Replies

Tunnel: 1841 to Linksys WRVS4400N

pondersean
Level 1
Level 1

‎01-29-2008 02:38 PM - edited ‎03-09-2019 07:59 PM

I am attempting to connect two offices via IPSec tunnel, my side is using an 1841 with AdvSec package (and existing IPSec tunnels on a different interface) and the other office is using a Linksys WRVS4400N VPN router.

I've got both sides configured properly for the tunnel and can see Phase 1 IKE, but Phase 2 fails. Has anyone successfully used these devices to peer? I am using mostly default values for the setup...3DES, SHA1, DH group 2 etc.

Thanks is advance for the help.

Labels:
0 Helpful
5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

‎01-29-2008 03:37 PM

The tunnel should work fine between two different VPN Vendors as far as they follow the RFC.

Can you post a copy of current configuration along with "deb cry is" and "deb cry ipsec" outputs, so we can see what is going on.

Regards,

Arul

0 Helpful

pondersean
Level 1
Level 1
In response to ajagadee

‎01-31-2008 04:15 PM

Got the tunnel up and talking, the issue was a misconfiguration on the Linksys VPN router. Now that they are talking the Cisco SDM shows the tunnel status as "up", yet I cannot ping any of the hosts on the destination network. When I use the SDM diagnostic tool, it comes back with:

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

I did a search on Google and found a forum post from someone with the same problem...but the last post was from the user, saying "issue resolved it was a routing problem" with no specifics.

Has anyone run into this before?

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to pondersean

‎01-31-2008 07:53 PM

Glad you got the first part working :-)

As far as the traffic is concerned, are you saying that you are not able to even send a ping packet with 100 bytes across the tunnel. It may or may not be a MTU Issue and could be a misconfiguration on the ASA or Linksys. When you try to ping a remote host across the tunnel, what do you see under encrypts and decrypts? Can you post a copy of your configuration along with "show crypto ipsec sa" outputs and also the source and destination IP Addresses of your traffic.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

pondersean
Level 1
Level 1
In response to ajagadee

‎02-04-2008 10:44 AM

As of now, I am unable to ping any host in the destination network (192.168.6.0 /24). Nor am I able to ping the inside interface on the destination router (192.168.6.1). The other side, however, is able to ping the inside interface on my router (192.168.3.1). But they cannot ping any hosts inside my network.

When I run a "sh crypto eng connection active" I can see the encrypt/decrypt happening for each ping they send to my router, but nothing at all when I try to send a ping out.

A "sh crypto isa sa" shows MM_NO_STATE for the tunnel.

On a side note: I also set up a client VPN group on this router. They can connect successfully and ping the router (192.168.3.1) but cannot access any inside hosts either. Pings fail, as do any other method of accessing inside hosts when connected successfully via VPN.

I'm sure that I have overlooked something here.

I will post the config shortly.

Thanks!

0 Helpful

pondersean
Level 1
Level 1
In response to pondersean

‎02-04-2008 03:37 PM

Here is the config that I am currently running. Thanks in advance for any advice or help!

Preview file
13 KB
0 Helpful
Customers Also Viewed These Support Documents