Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up RVS4000 VPN tunnel with server behind NAT firewall

A few years ago we set up an IPSec VPN tunnel from our office to a remote site with a Juniper firewall on the office side and the Cisco RVS4000 on the remote side. This tunnel worked perfectly until we recently changed internet providers at the office, and now the topology is a little more complex:

DFC_VPN_Topology.jpg

Office

Juniper Firewall

    - WAN IP (Behind NAT): 10.10.10.10

    - LAN Subnet: 192.168.3.0

ISP

NAT Firewall

   - Public IP: 66.220.20.10 (through NAT this effectively becomes the IP of the Juniper)

Remote Site

Cisco RVS4000

    - Public IP: 66.119.182.211

    - LAN Subnet: 192.168.1.0

With this configuration, it's possible to establish a VPN tunnel from a device on the Cisco router (e.g. IP Securitas running on a MacBook), but it is not possible to establish the tunnel within the Router, which is the configuration we had before and need to be working.

Judging by the logs, it appears as if the Juniper firewall is sending back it's private IP as the peer ID when attempting to establish Phase 1. Logs are below. With this configuration, is there something extra that needs to be done on the RVS4000 to get this to work? Or do I have to ask the ISP to do something different? Any advice would be much appreciated.

Logs from the  RVS4000 upon attempting to initiate a VPN tunnel:

Aug 28 11:41:09 - [VPN Log]: forgetting secrets

Aug 28 11:41:09 - [VPN Log]: "vpn": deleting connection

Aug 28 11:41:09 - [VPN Log]: "vpn" #1: deleting state (STATE_AGGR_I1)

Aug 28 11:41:09 - [VPN Log]: ERROR: "vpn": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address

Aug 28 11:41:09 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 06 00 00 00 c8 0f 00 00

Aug 28 11:41:09 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 01 00

Aug 28 11:41:09 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00

Aug 28 11:41:09 - [VPN Log]: | 02 00 00 00 c0 a8 03 00 b0 25 01 00 25 00 00 00

Aug 28 11:41:09 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00

Aug 28 11:41:09 - [VPN Log]: | 31 73 3b 20 6c 61 73 74 03 00 18 00 00 00 00 00

Aug 28 11:41:09 - [VPN Log]: | 02 00 00 00 ff ff ff 00 31 2c 20 65 00 00 00 00

Aug 28 11:41:10 - [VPN Log]: "vpn": unroute-client output: 0

Aug 28 11:41:10 - [VPN Log]: shutting down interface ipsec0/eth1 66.119.182.211:4500

Aug 28 11:41:10 - [VPN Log]: shutting down interface ipsec0/eth1 66.119.182.211:500

Aug 28 11:41:13 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)

Aug 28 11:41:13 - [VPN Log]: @(#) built on May 23 2012:16:42:37:

Aug 28 11:41:13 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on

Aug 28 11:41:13 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1

Aug 28 11:41:13 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)

Aug 28 11:41:13 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Aug 28 11:41:13 - [VPN Log]: starting up 1 cryptographic helpers

Aug 28 11:41:13 - [VPN Log]: started helper pid=4525 (fd:5)

Aug 28 11:41:13 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star

Aug 28 11:41:13 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'

Aug 28 11:41:13 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'

Aug 28 11:41:13 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'

Aug 28 11:41:13 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'

Aug 28 11:41:13 - [VPN Log]: Warning: empty directory

Aug 28 11:41:13 - [VPN Log]: added connection description "vpn"

Aug 28 11:41:13 - [VPN Log]: listening for IKE messages

Aug 28 11:41:13 - [VPN Log]: adding interface ipsec0/eth1 66.119.182.211:500

Aug 28 11:41:13 - [VPN Log]: adding interface ipsec0/eth1 66.119.182.211:4500

Aug 28 11:41:13 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"

Aug 28 11:41:14 - [VPN Log]: "vpn": route-client output: 0

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: initiating Aggressive Mode #1, connection "vpn"

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: ignoring unknown Vendor ID payload [40b62183529c03a4d308843f664856b26d15e8db0000001600000614]

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '10.10.10.10'

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: no suitable connection for peer '10.10.10.10'

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: initial Aggressive Mode packet claiming to be from 66.220.20.10 on 66.220.20.10 but no connection has been authorized

Aug 28 11:41:14 - [VPN Log]: "vpn" #1: sending notification INVALID_ID_INFORMATION to 66.220.20.10:500

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: ignoring unknown Vendor ID payload [40b62183529c03a4d308843f664856b26d15e8db0000001600000614]

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '10.10.10.10'

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: no suitable connection for peer '10.10.10.10'

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: initial Aggressive Mode packet claiming to be from 66.220.20.10 on 66.220.20.10 but no connection has been authorized

Aug 28 11:41:18 - [VPN Log]: "vpn" #1: sending notification INVALID_ID_INFORMATION to 66.220.20.10:500

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: ignoring unknown Vendor ID payload [40b62183529c03a4d308843f664856b26d15e8db0000001600000614]

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '10.10.10.10'

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: no suitable connection for peer '10.10.10.10'

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: initial Aggressive Mode packet claiming to be from 66.220.20.10 on 66.220.20.10 but no connection has been authorized

Aug 28 11:41:22 - [VPN Log]: "vpn" #1: sending notification INVALID_ID_INFORMATION to 66.220.20.10:500

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: ignoring unknown Vendor ID payload [40b62183529c03a4d308843f664856b26d15e8db0000001600000614]

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '10.10.10.10'

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: no suitable connection for peer '10.10.10.10'

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: initial Aggressive Mode packet claiming to be from 66.220.20.10 on 66.220.20.10 but no connection has been authorized

Aug 28 11:41:26 - [VPN Log]: "vpn" #1: sending notification INVALID_ID_INFORMATION to 66.220.20.10:500

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: ignoring unknown Vendor ID payload [40b62183529c03a4d308843f664856b26d15e8db0000001600000614]

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '10.10.10.10'

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: no suitable connection for peer '10.10.10.10'

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: initial Aggressive Mode packet claiming to be from 66.220.20.10 on 66.220.20.10 but no connection has been authorized

Aug 28 11:41:30 - [VPN Log]: "vpn" #1: sending notification INVALID_ID_INFORMATION to 66.220.20.10:500

Everyone's tags (4)
1 REPLY
Bronze

Setting up RVS4000 VPN tunnel with server behind NAT firewall

Dear Alex,

Thank you for reaching the Small Business Support Community.

I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side.  If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.

Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;

http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587

Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.

Kind regards,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.
1805
Views
0
Helpful
1
Replies
CreatePlease to create content