cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

RV042 v03 - Safari and VPN/IPSecuritas issues

slightly99
Level 1
Level 1

Hi all

I have a new RV042 v03 with 4.0.0.07 firmware. It's the gateway router at a client with a static IP address. I'm trying to configure a VPN tunnel so that they can access office resources from "road-warrior"-type situations (laptop at home or elsewhere). I have two problems:

1) (less important) I cannot log into the router's interface from Safari 5.0.x. After logging in to the router, I'm kicked back out to the login prompt. It seems to work fine from Firefox 4.

2) This is the real issue - I cannot get a VPN GroupVPN (or Client to Gateway, for that matter) connection working with IPSecuritas on the Mac. At all.

On the client side, I get the following errors:

IKE - Foreground mode.

IKE - none message must be encrypted. (repeated several times)

Here are the VPN messages from the router (shortened to remove duplicate messages). (The connecting IP address is dynamic, so I haven't obscured it.) From the remote side, I'm going through an Apple Airport Extreme, which should passthrough IPSec traffic just fine.

VPN Log packet from 74.66.69.139:500: received Vendor ID payload [Dead Peer Detection]]

VPN Log packet from 74.66.69.139:500: [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Peer ID is ID_FQDN: '@bgs_remote'

VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: responding to  Aggressive Mode, state #70, connection 'grpips0' from 74.66.69.139 VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: [Tunnel  Negotiation Info] >>> Responder Send Aggressive Mode 2nd packet

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: packet rejected: should have been encrypted

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification INVALID_FLAGS to 74.66.69.139:500

VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode  message is unacceptable because it is for an incomplete ISAKMP SA

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: packet rejected: should have been encrypted

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification INVALID_FLAGS to 74.66.69.139:500

VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode  message is unacceptable because it is for an incomplete ISAKMP SA

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: packet rejected: should have been encrypted

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification INVALID_FLAGS to 74.66.69.139:500 Mar 28 12:16:47 2011 VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode  message is unacceptable because it is for an incomplete ISAKMP SA

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500

VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode  message is unacceptable because it is for an incomplete ISAKMP SA

VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500

VPN Log  (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: encrypted  Informational Exchange message is invalid because no key is known

NOTE: I CAN successfully connect to this tunnel using VPN Tracker 6, but if I can get IPSecuritas working, I'd rather use that.

Here are the settings I'm using.

Router VPN (this is in dual-WAN mode, but only has one active WAN connection at WAN1):

GroupVPN

Interface: WAN1

Local group: Subnet

IP: 10.128.1.0

Mask: 255.255.255.0

Remote group: FQDN

Domain name: bgs_remote

IPSec:

IKE / Preshared key

Phase 1: Group 2 (1024) / 3DES / SHA1 / 28800 secs

PFS is ON

Phase 2: Group 2 (1024) / 3DES / SHA1 / 3600 secs

Preshared key is set.

Advanced: Aggressive mode, Keep-alive are ON.

IPSecuritas settings:

Remote device: x.x.x.x (correctly set to router static IP).

Local: Endpoint is host, IP address blank

Remote: Network, 10.128.1.0/24

Phase 1: Group 2 (1024) / 3DES / SHA1 / 28800 secs

Exchange: Aggressive, Proposal: Claim (have also tried Obey and Check)

Nonce size: 16

Phase 2: Group 2 (1024) / 3DES / SHA1 / 3600 secs

Local ID - FQDN: bgs_remote

Remote ID: Address

Preshared key is set and identical to that on router.

DNS - Not set.

Options - IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Generate Policy, Support Proxy are ON

(I've also tried changing these options, without success so far).

Here are the VPN Tracker settings, which DO work:

VPNTracker settings:

Gateway: x.x.x.x (correct router address)

Network: Host to network

Local: blank

Remote networks: 10.128.1.0/24

Authentication: Pre-shared key (stored)

IDs:

Local: FQDN - bgs_remote

Remote: Don't verify

Phase 1:

Mode: Aggressive

Group 2 (1024) / 3DES / SHA1 / 28800 secs

Phase 2:

Group 2 (1024) / 3DES / SHA1 / 3600 secs

NAT-T: automatic

INITIAL-CONTACT is off ("On" also works.)

DPD-capable: ON / 20 seconds

Now, I've used an older Linksys-branded RV042 (with 1.3.12) and have successfully connected with IPSecuritas using GroupVPN.

But this version has me stumped.

Can anyone offer any help or suggestions? Will provide more info if required.

Many thanks!

Matt

Who Me Too'd this topic