Solved: Problem connecting RV042G to a VPN gateway/Firewall

sa · ‎07-05-2013

Hi,

I'm new to Cisco, up until now I have used NetAsq hardware.

First I'm trying is to connect a new RV042G by VPN to a NetAsq firewall.

Today, I can connect without any problems using TheGreenbow VPN client on my laptop.

But no luck with trying the RV042G.

Office Network:

- Fixed official IP

- Internal Subnet is 192.168.11.0

Firewall is set up with:

- Set up with Aggressive Mode and Identity type user@FQDN

- Preshare Key is set with email address and password

Remote Network:

- Dynamic official IP (but I can not control the remote router)

- Internal FIXED IP for RV042G is 192.168.13.2 (this mean the RV042 is behind a NAT network)

- Subnet behind RV042G is 10.0.0.0

Please remember; I can connect my laptop from the same network, and also even from behind the RV042G.

Yes, this also mean I have access from behind the RV042G to the internet.

Set up and tried with Client-to-Gateway and Gateway-to-Gateway (I think the last option is correct).

For Local Security I cannot choose user@FQDN only, I need to select IP + user@FQDN (??)

For Remote Security, the same

For the rest; I have duplicated the settings from my Greenbow VPN client.

No luck at all; and yes, I'm VERY sure I've set email address and Preshare Key correct and identical.

Any ideas?

Mehdi Boukraa · ‎07-08-2013

Hi Stigh ,

Can you try this steps and ensure you have the latest firmware on RV042G 4.2.2.08

here the link to download the firmware :

http://software.cisco.com/download/release.html?mdfid=284170426&softwareid=282465789&release=4.2.2.08&relind=AVAILABLE&rellifecycle=&reltype=latest

On RV042G

-----------

- Change the Phase 1 SA life time from 28800 to 21600 (6 hours) (because should be the same as Netask)

- Enable NAT-T (BEcause the RV behind a NAT)

- Enable Dead Peer Detection

On Netask

----------

- On proposal 1 change the strength of Encryption algorithm and Hash algorithm to 256 bits

Best regards

Mehdi

View solution in original post

sa · ‎07-05-2013

I'll update with some pictures also...

RV042G config:

NetAsq config:

Please note, I can dial in using TheGreenbow client without any hassle to this config.

and finally Secret Key...

Mehdi Boukraa · ‎07-08-2013

Hi Stigh ,

Can you try this steps and ensure you have the latest firmware on RV042G 4.2.2.08

here the link to download the firmware :

http://software.cisco.com/download/release.html?mdfid=284170426&softwareid=282465789&release=4.2.2.08&relind=AVAILABLE&rellifecycle=&reltype=latest

On RV042G

-----------

- Change the Phase 1 SA life time from 28800 to 21600 (6 hours) (because should be the same as Netask)

- Enable NAT-T (BEcause the RV behind a NAT)

- Enable Dead Peer Detection

On Netask

----------

- On proposal 1 change the strength of Encryption algorithm and Hash algorithm to 256 bits

Best regards

Mehdi

sa · ‎07-08-2013

Hi Mehdi,

Actually, it worked.... Once!

After I opened the tunnel manually (Tunnel Test) and closed it, I cant get it up again.

I get SO frustrated.

Btw; I could change Authentication from 160 to 256bit, but not Encryption (3DES) it's simply 192bit.

Again, changed my Greenbow software client accordingly and it can connect successful (behind the RV).

This is the log I get from Netasq (debugging on the RV is simply terrible/non-existent).:

2013-07-08 19:11:10 local7.emergency 192.168.11.1 id=firewall time="2013-07-08 19:22:30" fw="Mobi" tz=+0000 startime="2013-07-08 19:22:30" error=2 phase=1 src=xx.xx.xx.xx srcname=Firewall_out dst=46.212.129.53 side=responder cookie_i=0x1adf6b8d0be2a6ac cookie_r=0x0000000000000000 user=xx@xx.no msg="Could not get a valid proposal" logtype="vpn"\r\n

2013-07-08 19:11:10 local7.emergency 192.168.11.1 id=firewall time="2013-07-08 19:22:30" fw="Mobi" tz=+0000 startime="2013-07-08 19:22:30" error=2 phase=1 src=xx.xx.xx.xx srcname=Firewall_out dst=46.212.129.53 msg="Negociation failed" logtype="vpn"\r\n

I could even let u connect through remote control...

I've tried to check the "error=2 phase=1" from NetAsq withhout any luck. I'm about to give up now....

EDIT:

I've seen the light !!!

I returned to 160bit encryption for SHA, as 256bit is named SHA-2 rather than SHA-1.

I assumed the RV also then used 160bit, so after adjusting SA liftetime (amazing I didn't notice that myself) and reversed the proposed change of encryption... smack! the VPN was open.

So happy days now; working like a charm!

BIG BIG THANX to you Mehdi for setting me back on track !!!

BR,

Stigh