02-06-2013 07:08 AM
Hello,
I'm trying to make the VPN connection between two routers CISCO RV180w.
I performed the basic configuration in cisco "server". I did the same in cisco "client".
The following configuration and logs, do not know what to do ...
Thank you!
SERVER CONFIGURATION:
IKE Policy Configuration:
VPN Policy Configuration:
CLIENT CONFIGURATION:
IKE Policy Configuration:
VPN Policy Configuration:
LOG VIEW:
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Initiating new phase 1 negotiation: 187.106.37.XX[500]<=>177.XX.XXX.252[500]
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Beginning Identity Protection mode.
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:189]: XXX: setting vendorid: 4
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:189]: XXX: setting vendorid: 8
Wed Feb 06 11:55:15 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:189]: XXX: setting vendorid: 9
Wed Feb 06 11:55:46 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 177.XX.XXX.252->187.106.37.XX
Wed Feb 06 11:56:05 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Wed Feb 06 11:56:05 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:56:05 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:56:37 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 177.XX.XXX.252->187.106.37.XX
Wed Feb 06 11:56:56 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Wed Feb 06 11:56:56 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:56:56 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:57:05 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 1 negotiation failed due to time up for 177.XX.XX.252[500]. 8087708d2f96f284:0000000000000000
Wed Feb 06 11:57:27 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 177.XX.XXX.252->187.106.37.XX
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Initiating new phase 1 negotiation: 187.106.37.XX[500]<=>177.XX.XXX.252[500]
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Beginning Identity Protection mode.
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:189]: XXX: setting vendorid: 4
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:189]: XXX: setting vendorid: 8
Wed Feb 06 11:57:34 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_ident.c:189]: XXX: setting vendorid: 9
02-06-2013 10:19 PM
Reconfigured some settings on both routers, especially as encryption and authentication.
I left both (client and gateway) as AES-192 and SHA-1.
The log has not changed much
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Initiating new phase 1 negotiation: 187.106.37.XX[500]<=>177.XX.XXX.252[500]
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Beginning Aggressive mode.
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: NAT-Traversal is Enabled
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 4
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 8
Thu Feb 07 03:09:07 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 9
Thu Feb 07 03:09:38 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 177.XX.XXX.252->187.106.37.XX
Thu Feb 07 03:10:36 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Thu Feb 07 03:10:36 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Thu Feb 07 03:10:36 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Thu Feb 07 03:10:57 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 1 negotiation failed due to time up for 177.XX.XXX.252[500]. 64a902cf8eb42732:0000000000000000
Thu Feb 07 03:11:08 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 177.XX.XXX.252->187.106.37.58
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Using IPsec SA configuration: 192.168.130.0/24<->192.168.137.0/24
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Configuration found for 177.XX.XXX.252.
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Initiating new phase 1 negotiation: 187.106.37.XX[500]<=>177.XX.XXX.252[500]
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: Beginning Aggressive mode.
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: NAT-Traversal is Enabled
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 4
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 8
Thu Feb 07 03:12:53 2013 (GMT -0300): [CISCO-CMC] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 9
Thu Feb 07 03:13:25 2013 (GMT -0300): [CISCO-CMC] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP 177.XX.XXX.252->187.106.37.XX
02-06-2013 10:46 PM
Hello Wesslley,
Usually when I run into an issue like this and have tried changing a few settings I like to just delete the tunnels and start over. It looks like you might have setup gateway-to-gateway on one and then gateway-to-client on the other, but I'm not sure on that one.
Delete the settings you have now and set both ends up again using the basic VPN setup for gateway-to-gateway.
Give that a try and if you still have errors post the logs and I'll take another look.
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center
*Please rate helpful posts*
02-07-2013 04:36 AM
Hello Christoper,
Thanks for the immediate answer!
I made the connection Gateway-Gateway.
I took the example configuration described in the manual RV180w Cisco router:
Router 1: WAN1=10.0.0.1 LAN=192.168.1.1 Subnet=255.255.255.0
Policy Name: manualVPN
Policy Type: Manual Policy
Local Gateway: WAN1
Remote Endpoint: 10.0.0.2
Local IP: Subnet 192.168.1.0 255.255.255.0
Remote IP: Subnet 192.168.2.0 255.255.255.0
SPI-Incoming: 0x1111
Encryption Algorithm: DES
Key-In: 11112222
Key-Out: 33334444
SPI-Outgoing: 0x2222
Integrity Algorithm: MD5
Key-In: 1122334444332211
Key-Out: 5566778888776655
Router 2: WAN1=10.0.0.2 LAN=192.168.2.1 Subnet=255.255.255.0
Policy Name: manualVPN
Policy Type: Manual Policy
Local Gateway: WAN1
Remote Endpoint: 10.0.0.1
Local IP: Subnet 192.168.2.0 255.255.255.0
Remote IP: Subnet 192.168.1.0 255.255.255.0
SPI-Incoming: 0x2222
Encryption Algorithm: DES
Key-In: 33334444
Key-Out: 11112222
SPI-Outgoing: 0x1111
Integrity Algorithm: MD5
Key-In: 5566778888776655
Key-Out: 1122334444332211
Everything worked right the first time:
But when you run the ping command on either side of VPN fails.
.
There are other settings to be done? How Static Routes?
Thanks!!
02-07-2013 05:11 AM
the ping:
the route display:
02-07-2013 12:15 PM
Hello Wesslley,
It looks like you are trying to ping 192.168.137.1 but the local LAN on router 1 is 192.168.1.0 and on router 2 it is 192.168.2.0.
I see a 192.168.130.0 network attached to router you posted the routing table for, but where is 192.168.137.0?
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center
02-07-2013 12:25 PM
Hello Christopher,
In reality a router uses the subnet is 192.168.137.0 and 192.168.130.0 another router uses the ...
Both routers have IP local 192.168.XXX.1:
Thanks!
EDIT:
Comand Ping in Roter 192.168.137.1:
A mensagem foi editada por: Weslley Jesus de Oliveira
02-07-2013 10:32 PM
Hello Wesslley,
I just want to double check that you also changed the local and remote on the other router (there are only screenshots of one). Have you tried pinging another computer through the VPN?
One setting you might want to check is under Firewall > Attack Prevention. Disable the Respond to ping on WAN.
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center
*Please rate helpful posts*
02-08-2013 07:42 AM
Hello Christoper,
I reviewed the detailed configuration and realized that one of the inverted routers subnets "local" and "remote" ...
So he was not running the ping.
Thanks for the great help you gave me!
PROBLEM SOLVED
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide