RV042 - VPN Connection Issues

Unanswered Question
Nov 4th, 2009

So I setup a vpn tunnel and am having an issue connecting. I have two seperate networks that I tested with. In both cases I am using the quick vpn client to connect. One network running a regular xp workstation connects fine. The other is running windows 2003 server r2 and cannot connect using the quick vpn client.

Here is the log from the router

Nov 4 10:26:26 2009     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet 
Nov 4 10:26:26 2009     VPN Log    initiating Aggressive Mode #96 to replace #95, connection "ips0" 
Nov 4 10:26:26 2009     VPN Log    STATE_AGGR_I1: initiate

My VPN router/network is 192.168.1.x  . Neither of the remote networks are in that subnet. You will have to forgive me as I am working with a software vendor to get a vpn setup between our networks and I do not have direct access to the networks or machines connecting to ours. I apologize for any lack of information, pleaes feel free to ask and I will attempt to get whatever is needed.

Regards

Andrew

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ASTechPCLLC Wed, 11/04/2009 - 07:44

UPDATE:

Got the quickvpn log from the client

2009/11/04 15:29:03 [STATUS]OS Version: Windows XP

2009/11/04 15:29:03 [STATUS]Windows Firewall is OFF

2009/11/04 16:29:03 [STATUS]One network interface detected with IP address 10.x.x.x

2009/11/04 16:29:03 [STATUS]Connecting...

2009/11/04 16:29:03 [STATUS]Connecting to remote gateway with IP

address: 96.x.x.x

2009/11/04 16:29:09 [STATUS]Remote gateway was reached by https ...

2009/11/04 16:29:09 [STATUS]Provisioning...

2009/11/04 16:29:14 [STATUS]Remote gateway was reached by https ...

2009/11/04 16:29:14 [STATUS]Provisioning...

2009/11/04 16:29:14 [WARNING]Failed to connect!

rayyoun Wed, 11/04/2009 - 13:48

Please contact Cisco Small Business at 866-606-1866 we can assist you.

Thanks

rayyoun Wed, 11/04/2009 - 13:49

We can assist you at Cisco Small Business Support Center please call us at 866-606-1866

Thank you

ASTechPCLLC Mon, 11/09/2009 - 07:27

I apologize but I do not have the ability to call during business hours so I need to resolve this on the forums.

I am working on setting this up with the microsoft VPN client connecting from Server 2003.

I have configured the machine I am connecting from (server 2003) as 192.168.38.x and the routers network is 192.168.1.x

I set the protocol in the client to l2tp. Remote gateway is set to allow the ip of the server 2003 (Client)

agressive mode is off.

I am getting the following errors in the log

Nov 9 10:09:36 2009     VPN Log    (NATT)Initial Main Mode message received on 96.x.x.x:500 but no connection has been authorized. Please check your tunnel endpoint (gateway) setting 
Nov 9 10:09:36 2009     VPN Log    Dynamic VPN client in Main Mode is only supported for Microsoft VPN client, please use Aggressive mode instead.

Not sure where to go from here, I AM using the Microsoft VPN client so I am not sure why it is telling me to use agressive mode, (also tried checking agressive mode but get the same error)

daviddun Mon, 11/09/2009 - 07:41

The SBSC is open 24*7*365 fro your convenience, please feel free to call in for support

1-866-606-1866

have a great day :)

ASTechPCLLC Mon, 11/09/2009 - 07:44

but the clients office is closed, I do mostly remote support. so I need to figure this out remotely. That IS what this forum is for correct?

ASTechPCLLC Mon, 11/09/2009 - 10:01

So I managed to get close using the ms client.

I setup a group vpn with remote client as windows client

group2

3des

sha1

(settings as ms states for defaults)

set that for both phases, I get through main mode fine, but then it goes to quick mode and its telling me Quick Mode I1 message is unacceptable because it uses a previously used Message ID

any suggestions?

William Childs Tue, 11/10/2009 - 05:25

Have you made an exception in the firewall of the server to allow for Quick VPN Client? Also, what version of Quick VPN Client are you using? Just so you know, the only supported vpn client for the Small Business routers is the Cisco Small Business Quick VPN Client. It can be found here:

http://tools.cisco.com/support/downloads/go/DownloadCart.x?imageGuId=80152298E077B4886C02D46616826BF308C2CAFA&action=d

The setup is very easy. Please post your results.

Bill

ASTechPCLLC Tue, 11/10/2009 - 05:29

I am actually attempting to use the MS VPN client as that is a requirement by the software vendor. I only have the default firewall access rule which is set to allow all traffic. I figured since I was using the vpn tunnel in the router I would not need to create any access rules for that.

I am stuck on getting this error: Quick Mode I1 message is unacceptable because it uses a previously used Message ID

William Childs Tue, 11/10/2009 - 05:41

As I mentioned, we only support the Quick VPN Client with our routers. The other vendor's software (yes, even microsoft) is considered best effort as we have no way to design our systems to be compatible with all vendors/software. I apologize that we are not able to find a workable solution for you.

You may want to just try the QVPN client to see if the tunnel will connect at all. If it does connect, then you know the issue is not with the router, but with your server. If it does not connect at all, then you have at least something to bring back here to troubleshoot.

Bill

William Childs Tue, 11/10/2009 - 05:46

You are correct with that statement. You also did say that it worked from an XP machine. This should give, at least, some hope that the RV042 is working properly. I think the fact that it is not supported is more a liability issue than a functionality issue. It might not hurt to try. Good luck with it.

Bill

William Childs Tue, 11/10/2009 - 05:51

You are correct that you could use 2 RV042s (one on each end) to configure a Gateway to Gateway IPSEC tunnel that would stay up constantly, and not use resources on the server. In my opinion, this is the optimal way to setup your network. This would eliminate any port forwarding (for the sake of the tunnel) that would need to be done.

Bill

Actions

This Discussion