Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RV220W - IPsec - No Tx packets from gateway

I have tried to get devices to connect to my RV220W using IPsec for quite some time now. I have all the settings matched on the clients however will not see Tx traffic going from the gateway to the devices (including DNS lookups):

This is generally what I see under the IPsec connection status view on the RV220W 1.0.3.5:

Policy Name        Endpoint       Packets   KBytes        State Action
                                  Rx   Tx   Rx     Tx
192.168.0.113*     192.168.0.113  358  0    24.00  0.00   IPsec SA Established     (Tablet)
192.168.0.137*     192.168.0.137  358  0    24.00  0.00   IPsec SA Established     (Smartphone)


I have tried connecting now from many different locations but fail to see traffic make it back to my device when trying to access a resource on the 10.0.0.0 subnet. I have toggled many settings including PFS/DPD. The clients are matched up with the exact IKE/VPN policy options.

I have included all I can think of below and would appreciate any help:


Gateway logs for BlackBerry PlayBook OS 2.1 connection:
2012-06-12 23:29:37: [gateway][IKE] INFO: Remote configuration for identifier "<host.domain.tld>" found
2012-06-12 23:29:37: [gateway][IKE] INFO: Received request for new phase 1 negotiation: <WAN IP>[500]<=>192.168.0.113[500]
2012-06-12 23:29:37: [gateway][IKE] INFO: Beginning Aggressive mode.
2012-06-12 23:29:37: [gateway][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:29:37: [gateway][IKE] INFO: Received Vendor ID: DPD
2012-06-12 23:29:37: [gateway][IKE] INFO: For 192.168.0.113[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT-D payload matches for <WAN IP>[500]
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT-D payload matches for 192.168.0.113[500]
2012-06-12 23:29:38: [gateway][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.113[500] because it is only accepted after phase1.
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT not detected
2012-06-12 23:29:38: [gateway][IKE] INFO: ISAKMP-SA established for <WAN IP>[500]-192.168.0.113[500] with spi:8252c2ebcdb0ce11:4cee64e0debe6f68
2012-06-12 23:29:38: [gateway][IKE] INFO: Responding to new phase 2 negotiation: <WAN IP>[0]<=>192.168.0.113[0]
2012-06-12 23:29:38: [gateway][IKE] INFO: Using IPsec SA configuration: anonymous
2012-06-12 23:29:38: [gateway][IKE] INFO: Re-using previously generated policy: 192.168.0.113/32[0] 10.0.0.0/24[0] proto=any dir=in
2012-06-12 23:29:38: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel 192.168.0.113-><WAN IP> with spi=240351098(0xe53777a)
2012-06-12 23:29:38: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel <WAN IP>->192.168.0.113 with spi=2475748592(0x9390ecf0)


Gateway logs for BlackBerry Smartphone OS 7.1 connection:
2012-06-12 23:30:17: [gateway][IKE] INFO: Remote configuration for identifier "<host.domain.tld>" found
2012-06-12 23:30:17: [gateway][IKE] INFO: Received request for new phase 1 negotiation: <WAN IP>[500]<=>192.168.0.137[500]
2012-06-12 23:30:17: [gateway][IKE] INFO: Beginning Aggressive mode.
2012-06-12 23:30:17: [gateway][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:30:17: [gateway][IKE] INFO: Received Vendor ID: DPD
2012-06-12 23:30:17: [gateway][IKE] INFO: For 192.168.0.137[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT-D payload matches for <WAN IP>[500]
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT-D payload matches for 192.168.0.137[500]
2012-06-12 23:30:18: [gateway][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.137[500] because it is only accepted after phase1.
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT not detected
2012-06-12 23:30:18: [gateway][IKE] INFO: ISAKMP-SA established for <WAN IP>[500]-192.168.0.137[500] with spi:2f948888fbe0dd0d:571b0688dfaad0c5
2012-06-12 23:30:18: [gateway][IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2012-06-12 23:30:18: [gateway][IKE] INFO: Responding to new phase 2 negotiation: <WAN IP>[0]<=>192.168.0.137[0]
2012-06-12 23:30:18: [gateway][IKE] INFO: Using IPsec SA configuration: anonymous
2012-06-12 23:30:18: [gateway][IKE] INFO: No policy found, generating the policy : 10.0.0.200/32[0] 10.0.0.0/24[0] proto=any dir=in
2012-06-12 23:30:18: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel 192.168.0.137-><WAN IP> with spi=198507592(0xbd4fc48)
2012-06-12 23:30:18: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel <WAN IP>->192.168.0.137 with spi=1946521442(0x74058f62)


IKE Policy:
Direction / Type:                    Responder
Exchange Mode:                       Aggressive
Local Identifier Type:               Local WAN (Internet) IP
Local Identifier:                    <WAN IP>
Remote Identifier                    Type: FQDN
Remote Identifier:                   <host.domain.tld>
IKE Encryption Algorithm:            AES-128
IKE Authentication Algorithm:        SHA-1
IKE Authentication Method:           Pre-Shared Key
IKE Pre-Shared Key:                  <PSK>
IKE Diffie-Hellman (DH) Group:       Group2 (1024 bit)
IKE SA-Lifetime:                     28800 Seconds
IKE Dead Peer Detection:             Checked
IKE Detection Period:                999
IKE Reconnect after Failure Count:   3
XAUTH Type:                          NONE


VPN Policy:
Policy Type:                         Auto Policy
Remote Endpoint:                     FQDN
                                     <host.domain.tld>
NETBIOS:                             Greyed/Unchecked
Local IP:                            Subnet
Local Start Address:                 10.0.0.0
Local Subnet Mask:                   255.255.255.0
Remote IP:                           Any
Split DNS:                           Unchecked
Auto Policy SA-Lifetime:             3600 Seconds
Auto Policy Encryption Algorithm:    AES-128
Auto Policy Integrity Algorithm:     SHA-1
PFS Key Group:                       Checked
                                     DH-Group2 (1024 bit)

Everyone's tags (3)
667
Views
0
Helpful
0
Replies