Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPSec VPN b/w ISA500 and RV042

2013-07-30 11:37:04

Information

IPsec VPN

msg=Could not change to directory '/etc/ipsec.d/crls';



2013-07-30 11:37:04

Information

IPsec VPN

msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;



2013-07-30 11:37:04

Information

IPsec VPN

msg=Could not change to directory '/etc/ipsec.d/aacerts': /;



2013-07-30 11:37:04

Information

IPsec VPN

msg=  error in X.509 certificate default.pem;



2013-07-30 11:37:04

Information

IPsec VPN

msg=  loaded CA cert file 'default.pem' (2745 bytes);



2013-07-30 11:37:04

Information

IPsec VPN

msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);



2013-07-30 11:37:04

Information

IPsec VPN

msg=  error in X.509 certificate default_key.pem;



2013-07-30 11:37:04

Information

IPsec VPN

msg=  loaded CA cert file 'default_key.pem' (1675 bytes);



2013-07-30 11:37:04

Information

IPsec VPN

msg=Changed path to directory '/mnt/shiner/certificate';



2013-07-30 11:37:04

Information

IPsec VPN

msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";

2013-07-30 11:37:04

Information

IPsec VPN

msg=  loaded CA cert file 'default.pem' (2745 bytes);



2013-07-30 11:37:04

Information

IPsec VPN

msg=  loaded CA cert file 'default_crt.pem' (1070 bytes);



2013-07-30 11:37:04

Information

IPsec VPN

msg=  error in X.509 certificate default_key.pem;



2013-07-30 11:37:04

Information

IPsec VPN

msg=  loaded CA cert file 'default_key.pem' (1675 bytes);



2013-07-30 11:37:04

Information

IPsec VPN

msg=Changed path to directory '/mnt/shiner/certificate';



2013-07-30 11:37:04

Information

IPsec VPN

msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";



2013-07-30 11:37:04

Information

IPsec VPN

msg=loading secrets from "/etc/ipsec.secrets";



2013-07-30 11:37:04

Information

IPsec VPN

msg=forgetting secrets;



2013-07-30 11:37:04

Information

IPsec VPN

msg=added connection description "Tunnel0";



2013-07-30 11:37:02

Information

IPsec VPN

msg="Alabang" #117: deleting state (STATE_MAIN_R1);


2013-07-30 11:37:02

Information

IPsec VPN

msg="Alabang": deleting connection;



2013-07-30 11:36:55

Warning

IPsec VPN

msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;



2013-07-30 11:36:55

Error

IPsec VPN

msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;



2013-07-30 11:36:55

Information

IPsec VPN

msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;



2013-07-30 11:36:55

Information

IPsec VPN

msg="Alabang" #117: responding to Main Mode;



2013-07-30 11:36:55

Warning

IPsec VPN

msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];



2013-07-30 11:36:46

Information

IPsec VPN

msg=Could not change to directory '/etc/ipsec.d/crls';



2013-07-30 11:36:46

Information

IPsec VPN

msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;


==============================================================

Site 1 = Cisco ISA 500. Named as CHI

Site 2 = Cisco RV042. Named as Alabang

Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.

On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).

Everyone's tags (1)
11 REPLIES

IPSec VPN b/w ISA500 and RV042

Dan,

In the ISA, do you have any kind of routing, PBR or otherwise, telling it to route traffic source 192.168.100.0 to destination 192.168.101.0 via WAN2?

Another question.  I noticed that your ISA is configured for Dynamic IP yet your RV042 has 2 VPNs.  This leads me to assume that your RV042 does have a dynamic IP and is trying to establish VPNs to multiple locations.  Is this accurate?

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

IPSec VPN b/w ISA500 and RV042

Yes I do have PBR but it is having dedicated users for the WAN2. I chose a select computers that have privileges to use WAN2. But as for your question "route traffic source 192.168.100.0 to destination 192.168.101.0 via WAN2", I do not have such PBR in my box. But I do have one entry in PBR which is system-generated. The Linksys RV042 you will see there is not the one in concern in my above post, but it is a RV042 for testing with IP of 172.16.0.XXX and it is the box named as Villa.Attached is the Screenshot.

My RV042 has a dynamic IP and is trying to establish VPNs to multiple locations for testing purposes. Once I can get that CHI VPN working, the Villa VPN will be put down. It was just a proof of concept to know that it worked on one installation where RV042 <--> RV042 VPN was established.

IPSec VPN b/w ISA500 and RV042

How is  your Dual WAN setup (Weighted, Real-Time, Failover, or Routing Table)?  Under Dual WAN Settings, is PBR On of Off?

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

IPSec VPN b/w ISA500 and RV042

I am using Routing Table and PBR is on. I am using WAN2 in submitting this reply via the PBR.

IPSec VPN b/w ISA500 and RV042

I'm assuming the Mike Laptop and Dan Laptop are the 2 devices you want to allow through WAN2 and all other devices on the Default you want going through WAN1.  I'm also assuming the last line in your screenshot of the PBR config is the system-generated one you were referring to.  Please let me know if any of this is incorrect.

Based on those assumptions, have you tried removing the Mike and Dan Laptop PBR entries to see if the VPN works at that point?  Just trying to narrow down the root of the challenge, not suggesting that the config should have to stay that way.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

IPSec VPN b/w ISA500 and RV042

1st assumption about the laptops is correct, they will be using WAN2. The 2nd assumption of PBR config is correct, it is system generated when I let the IPSec VPN use WAN2 as the interface.

So you are suggesting that I go trial-and-error to solve my problem? I can do that. But I do prefer more definite answers to my problem. I told purchasing department to purchase a second ISA500 box and place it in Alabang location. So now it will be ISA500 <--> ISA500 VPN Interface. If this one works, then you guys definitely have some work to do with VPN inter-operability between your devices.

Re: IPSec VPN b/w ISA500 and RV042

Dan,
Since I'm not a Cisco employee, don't have access to spare ISAs and RVs to setup a lab and test, don't have a setup similar enough to yours to test with, don't have access to your devices, and wouldn't have other than UI access if I did, doing a little trial and error is all I have to work with to assist you.
That said, it's not random trial and error. From what I'm able to see via your screenshots and explanations, all of your config looks correct. So if everything for Phase 1 & 2 are accurate, then it should work unless there is an interesting traffic mismatch.
Usually this is pretty straightforward and simple to troubleshoot and confirm. However when you add in additional challenges that come with Multi-WAN support, terminating the VPN on the secondary WAN interface, and PBR, there is a lot of room for possible mistakes as the config is becoming fairly complex.
So my thought was to remove what I perceived to be the least impacting piece of complexity, which is the custom PBR that is sending those 2 laptops out WAN 2 instead of WAN 1, so that the only non-typical configuration was the VPN terminating on WAN 2.
Right now I'm assuming the issue isn't the the possibility of the ISA and RV042 being incapable of establishing a VPN. I'm assuming it is either an issue with VPN termination on WAN 2 (which I don't believe is an issue) or something not quite right with PBR and VPN interesting traffic.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Cisco Employee

Re: IPSec VPN b/w ISA500 and RV042

Hi Dan,

Can you gather a packet capture out WAN2  surrounding a connection attempt so we can see the VPN packets coming in/out that WAN interface?  The log snippet you pasted has an error:  '12.209.172.XXX:500 failed' due to 'Network is unreachable'.  I want to take a look at the packets going back and forth.

Thanks,

Brandon

Gold

Re: IPSec VPN b/w ISA500 and RV042

Dan,

Normally this type of issue is caused by a configuration mismatch. The fastest way to find it is to get another set of eyes on it. You can give us more screenshots so we can review all of the VPN settings on each router (remove sensitive details) or call support and have an engineer take a look. This should work without issue if properly configured.

- Marty

Cisco Employee

Re: IPSec VPN b/w ISA500 and RV042

Hi Dan,

Were you able to gather the packet captures out WAN2?  We want to see the communication between the ISA and the RV042.

Thanks,

Brandon

Community Member

Re: IPSec VPN b/w ISA500 and RV042

Hi community, I decided to ditch this setup as of the moment. I told my team to get a Cisco ISA500 <--> Cisco ISA500 working. It worked seamlessly with the default configs in place.

@mpyhala,

Back to topic, I did post a portion of my configs. In my RV042 you can see that I "mimic" the default settings of my Cisco ISA500 Phase 1 and Phase 2.

For now, the testing will stop for the RV042 and Cisco ISA500. As a pre-sales engineer, I just wanted to demonstrate the Proof-of-Concept to get this working.

I will revive this thread, or make a new thread with more information if this problem will resurface.

1613
Views
0
Helpful
11
Replies
CreatePlease to create content