RVS4000 vpn issue

Unanswered Question
Apr 3rd, 2009
User Badges:

I've setup a IPSEC vpn with following setting but can't connect and the log says "can't innitiate the connection w/o knowing peer ip address"

Can you tell me what is wrong with my setting?


Local Group Setup  Local Security Gateway Type:   IP Only

IP address: xxx.xxx.160.99
Local Security Group Type:  Subnet
IP Address:  192.168.0.1  
Subnet Mask:  255.255. 255.0    
--------------------------------------------------------------------------------

Remote Group Setup  Remote Security Gateway Type:   Any

Remote Security Group Type:  IP Addr

IP Address:  192.168.2.0
This Gateway accepts requests from any IP address.
Subnet Mask:  255.255.255.0    
------------------------------------------------------------------------------

IPSec Setup  Keying Mode:  IKE with Preshared keyl
Phase 1:
Encryption:  3DES  
Authentication:  MD5
Group:  768-bit
Key Life Time:   28800Sec.

Phase 2:

Encryption:  3DES  
Authentication:  SHA1  
Perfect Forward Secrecy:  Enable


Status  Down

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven DiStefano Tue, 04/14/2009 - 07:50
User Badges:
  • Blue, 1500 points or more

Are you trying to establish a site to site VPN?   If so, the other side (Router) also needs to be configured to match this one.

kowolpark Tue, 04/14/2009 - 08:14
User Badges:

No, it is not site to site.

I'd like to connect from home(DSL) to work(RVS 4000 with T1).


Thanks

Steven DiStefano Wed, 04/15/2009 - 12:11
User Badges:
  • Blue, 1500 points or more

OK.  Then if you want to configure CLient VPN connection, you can use QVPN on the PC at the remote location and connect to the RVS4000 as the Server, if you will.

You were sharing configuration that is only relevant when setting up a site to site (or gateway to gateway) VPN tunnel.


See if this helps:

http://www.cisco.com/en/US/products/ps9928/index.html

kowolpark Wed, 04/15/2009 - 12:32
User Badges:

Thanks but In the log of RVS4000,  "home" cannot initiate the connection without knowing peer ip address and keep failing connect.

And I can't connect through Quick VPN either.

Steven DiStefano Wed, 04/15/2009 - 13:01
User Badges:
  • Blue, 1500 points or more

The RVS4000 can be a Gateway in a site to site IPSec VPN (a tunnel to another router) or a server which hosts client QVPN connections to it.


The peer IP address would be the WAN IP of the RVS4000.  Whether thats static or DDNS resolved DHCP.  For IPSec Tunnels to establish, the peer needs to be a known address.  When a router (gateway) wants to make a connection to another router (gateway), this site to site connection would be the IPSec Tunnel. Each router defininging its own local subnet to share (must be unique) and its WAN IP address.


If on the other hand you want to use a PC on a public internet to connect to an RVS4000, then you can use the QVPN client, but that requires that you configured a user and password in the RVS4000 under client VPN settings (not site to site).  In that case, only the client needs to know who the RVS4000 (WAN IP) is.  It establishes an IPSec tunnel, but it becomes a member of the RVS4000 network (you configure a DHCP pool for the remote clients so that works).

kowolpark Wed, 04/15/2009 - 15:07
User Badges:

As you can see from my very 1st message, I'm using the static IP address for RVS4000.

RVS4000 is working fine other than VPN.

Our configuration for our network setup is like below;


Work: T1 -> Cisco 1720 -> RVS4000 -> Switch

Home: DSL -> Linksys WRT54G


Thanks

Moderator Fri, 04/17/2009 - 12:15
User Badges:

Hello,


Were we able to help you find a solution? If you still need help or have any additoinal questions please let me know.


Thank you,


Cisco Moderation Team

Steven DiStefano Fri, 04/17/2009 - 13:00
User Badges:
  • Blue, 1500 points or more

If I understand that topology there is a T1 (WAN) coming into a 1720 and then to the RVS4000.   Thats not going to work too well I dont think.  The RVS4000 needs to have a public routable IP......

kowolpark Fri, 04/17/2009 - 13:10
User Badges:

RVS4000 does have a public IP address which is 67.113.xxx.xxx and also using it with port forwarding for Email server and working fine.

But VPN is not working

Steven DiStefano Tue, 04/28/2009 - 13:18
User Badges:
  • Blue, 1500 points or more

I decided a different approach to help you here.

I figured if I can make it work, and show you, then you can see how to do it.

So I built a small network in my lab with a Layer 3 routed network (my cloud if you will).


I have the following routers from the small business portfolio: http://www.cisco.com/cisco/web/solutions/small_business/products/routers...


So here is the environment:

Router               WAN IP              LAN                    Next Hop DGW (another router)

RV082               10.10.10.2/24     192.168.1.0/24     10.10.10.1     

RV016               20.20.20.2/24     192.168.2.0/24     20.20.20.1

WRVS4400N     30.30.30.2/25     192.168.3.0/24     30.30.30.1

RVS4000           40.40.40.2         192.168.4.0/24     40.40.40.1

RV042               50.50.50.2         192.168.5.0/24     50.50.50.1


I set up 4 tunnels in each router and have a full mesh IPSec network up and running in about an hour.


Let me show you the config for the RVS4000.  Attached pics of screens of the RVS4000. 

The other router matches in terms of Phase 1 and Phase 2 parameters.


Now I can be on either LAN and access the devices on the other routers LAN.


Let me know if this helps you.

I have the exact same set of issues working from a dynamic IP at the remote end.


1- If you configure a VPN tunnel on the RVS4000 to accept connection from any IP, it will not accept a connection. This setting simply does not work. It only works with a fixed IP.

QVPN did not work either from behind a Gateway with a dynamic IP.

2- QVPN will crash outright (with a nasty "wget application needs to close") if  DoS is enabled on the RVS4000.

3- If DoS is disabled, it will not crash, but it is not able make a connection through a (Cisco/Linsksys!) Gateway, even though NAT traversal is enabled.


These three issues are widely reported on the internet. Are you able to reproduce them? I have seen no one with a solution yet.

After inspecting the log closely and using another VPN Client (TheGreenBow) with some debug capability, I was actually able to VPN from a client behind a NAT router under restricted circumstances, which also seem to point to the problem.


The issue has to do with remote group security setup apparently not working properly. If you use the "Any" setting for the remote IP, and you use subnet method of authentication, the RVS4000 will not recognize a host belonging to the subnet properly. However if you specify a single static remote host IP address it works (but obviously not practical in a DHCP environment). For example, if you setup remote security as a subnet, say 192.168.1.1 / 255.255.255.0, the router will still not accept a connection from host 192.168.1.105 (the VPN log shows that it cannot find a connection match for 192.168.1.105/32, when instead it should find that the rule 192.168.1.1/24 applies). Sure enough, if you setup the remote security as the single host IP 192.168.1.105 instead, it will match the connection and open the tunnel, at least with the Green Bow client.


I suspect this could also explain why the Quick VPN will not work either in a similar situation.


This is using version 1.3.0.5 of the firmware. Is this a known bug? Any fix?

michaelrach Thu, 02/04/2010 - 13:39
User Badges:

I wish to set up a client to RVS4000 VPN.  I have two laptops with which I travel.  One uses Ubuntu 9.10 and the other uses Windows Vista x64.  That rules out the use of QuickVPN in both cases.  No, QuickVPN version 1.0.3.5 does NOT work under WINE.


The RVS4000 has a static and known IP address.  The clients addresses will vary.  The closest to success I have come is the following two configurations.  1) I have installed VMWare on the Vista laptop with a guest OS of XP 32 bit and installed QuickVPN.  I can then connect to the router and set up a VPN tunnel.  While an interesting proof of concept this is a tedious work around.


I am trying to work with the ShrewSoft VPN Client.  I use remote group of any with a private subnet different from the RVS4000.  Shrewsoft allows the assignment of a virtual ip address.


The shrewsoft client sets up and acknowledges a tunnel, unfortunately the RVS4000 never realizes the tunnel is up.  Yet when I change a VPN setting in the RVS4000 the shrewsoft client reports the disconnect.  Therefore they are communicating.

KrisWiggins Fri, 08/13/2010 - 13:44
User Badges:

"If I understand that topology there is a T1 (WAN) coming into a 1720 and  then to the RVS4000.   Thats not going to work too well I dont think.   The RVS4000 needs to have a public routable IP......"


This is more or less exactly what I need to do.  I need to connect an Office to a Home with a Site-to-Site VPN tunnel.  The purpose is to connect remote IP phones (at the home) to the office (so something like the QuickVPN client is out - no computers are involved, only an IP phone).  The phone needs to just connect to the office via the router with zero intervention once everything is in place.


Current setup and results:


Office:

RVS4000 directly connected to the internet, static and public WAN IP address, accepts VPN requests from ANY IP


Hom

RVS4000 NATed behind ISP-supplied equipment, dynamic OR static (doesn't seem to make a difference) private WAN IP address, configured to send VPN tunnel requests to Office's public IP address


This works great - for about two or three hours.  The VPN tunnel initially connects without a hitch, runs for some amount of time, but after a few hours the VPN tunnel hiccups or something, loses it's connection, and is unable to reconnect itself.  No idea why this is the case - it connects fine initially.  Clicking Disconnect/Connect on the (remote home) VPN summary page does nothing.  However, after disabling/enabling the VPN tunnel on the (remote home) RVS4000 box, OR unplugging it and plugging it back in (the power cord that is), PRESTO the VPN tunnel is back up and running.  For a few hours.  Rinse, repeat.


This of course will not fly.  This is the scenario I have to work with, I simply need it to work with whatever settings and/or devices I need to throw in to make it happen.  The remote home VPN router box will not be connected directly to the internet, it will be NATed.  Any suggestions?


thanks ~ k

Actions

This Discussion