SA520 to RV082 VPN

Unanswered Question
Mar 22nd, 2010

We've been testing an SA520 as a possible replacement for the RV082 but we have hundreds of RV082's around N America and several that we maintain VPN connections to for various purposes.  We've been unable, as yet, to establish a site-to-site VPN connection from our SA520 running 1.1.3 to an RV082 running 2.0.0.18.  The SA is the initiator.  I've copied and pasted the PSK, changed the IKE policy to AES-128 matching the RV082, the RV complains about the connection saying:

No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting

I fear the problem is the RV is expeting AES-128 as the Phase2 Encryption policy but that's not an option on the SA.  Has anyone been able to get an SA5xx to connect to an RV0x2 via site-to-site VPN?  Given the same QVPN client is supposed to work for both products surely the site-to-site VPN should work too.  Thanks...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
William Childs Fri, 03/26/2010 - 03:41

Try making sure the SA and RV are using the same Diffie Hellman group ( group 2 is the lowest they have in comon) and make sure the hashing algorithm is the same (both set for SHA/3DES). This should improve your odds.

Also make sure the subnets are different, and that you are allowing the WHOLE subnet across the link, and not just the ip of the router.

Bill

Brian Bergin Fri, 03/26/2010 - 05:46

Fist, I have had a VPN connection from this LAN to the remote sites for years using RV082, so I know subnets are setup correctly.  I alreayd have the SA520 set to Group 2 which is how the RV082's connect.  Also, why would anyone want to use 3DES when AES is available?  We've used AES-128 for many years on the RV082's without issue.

What really bugs me about Cisco is you guys simply refuse to test this on your own.  It should be very simple for you guys to setup a couple of your own devices and put up a FAQ on how to do this.  Every single Small Business product should be able to connect to every other one.  I can take a PIX v5 and make a VPN connection to an ASA on 8.1 and there's documentation on how to do it.  Why can't Cisco document it's Small Biz routers?  You cannot assume that a Small Biz will replace every single device at every single location all at one time so there has to be some overlap.  We have a customer now using BEFSR41/BEFSX41s at various locations who refuse to upgrade to anything new becuase they have to do it all at once becuase Cisco/Linksys failed to either do any testing between the BE VPN series and the RV series (let alone the SA series) or Cisco/Linksys knows it can be done (tech after tech claims it's possible) but refuses to post anything on how to do it.  What harm does it do to document how to do something when a customer is buying more Cisco product?  I'm not asking for FAQs on how to go from a RV082 to a Juniper Netscreen, just one Cisco product to another.

When Cisco's SMB management realizes that having incompatible products is unacceptable it will start down the road of being accepted by more SMBs.  Until then, you will continue to have unhappy partners and customers posting problems here left and right.

Actions

Login or Register to take actions

This Discussion

Posted March 22, 2010 at 12:44 PM
Stats:
Replies:2 Avg. Rating:
Views:974 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 1,091
2 369
3 181
4 83
5 80
Rank Username Points
5
5