cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13920
Views
5
Helpful
24
Replies

RV042 site to site VPN with dynamic IP

Eli Hunter
Level 1
Level 1

I recently bought two RV042s to create a site to site VPN for a client.  I have several of these setups installed at other locations but this is the first version 3 hardware I've used.

It seems like the dynamic IP functionality of the VPN setup may not be working correctly.  I've verified all settings on each router match and have deleted/recreated the setup several times just to make sure.  Here's the logs from the router with a static IP.

Nov 29 06:49:51 2012 VPN Log (g2gips0): deleting connection 

Nov 29 06:49:51 2012 VPN Log added connection description (g2gips0) 

Nov 29 06:49:51 2012 VPN Log listening for IKE messages 

Nov 29 06:49:51 2012 VPN Log forgetting secrets 

Nov 29 06:49:51 2012 VPN Log loading secrets from '/etc/ipsec.d/ipsec.secrets' 

Nov 29 06:49:51 2012 VPN Log (g2gips0): cannot initiate connection without knowing peer IP address 

Nov 29 06:49:51 2012 VPN Log (g2gips0): cannot initiate connection without knowing peer IP address 

I've tried both dynamic IP + email and dynamic IP + FQDN to authenticate the router using the dynamic IP and both give the same error as above.

I did a firmware update hoping to fix PPPoE which seemed to be broken with a Netopia modem in bridge mode so both routers are on the latest firmware,

v4.2.1.02.

Any help would be appreciated

24 Replies 24

jonatrod
Level 7
Level 7

Good morning

Thanks for using our forum

Hi my name is Johnnatan and I am part of the Small business Support community,I´ve seen your logs

and it looks like the router doesn´t find it peer, I recommended go to the section VPN>Gateway to Gateway, and verify your configuration using this document

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=4&app=search&vw=1&articleid=3294

If you still having problem, you could do a “factory reset” (always make a backup of your configuration) to your device, and configure again your tunnel. You can do it with the wizard of manually,

Also I recommended you that instead of use dynamic addresses, contact your ISP and ask for static addresses and configure your router with the option “IP only”

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.

Greetings,

Johnnatan Rodriguez Miranda.

Cisco network support engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

To add to Jonathan's post, you may consider to register your dynamic WAN ip address to the dyndns service. Then you should be able to use the option  Dynamic IP + Domain Name (FQDN) Authentication

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thanks for the replies

I tried setting these up before updating the firmware as well as after updating the firmware.  I also wiped the devices after the firmware updates and set this up again.

My client would prefer not to have to get a static IP since it would more than double their internet bill for that particular office.  I have another setup with a dynamic IP on one end and the email authentication works fine, these are however older RV042s with a version 2.x firmware. 

I tested both with email authentication and by setting up a dyndns address and using that as the FQDN to register.  Both configurations give the same error.  I'll take screenshots of the settings when I get a chance but I've reconfigured this from scratch at least 4 times now and verified the settings many times over so I'm really doubting it's a configuration error at this point.

Here's some screenshots, hopefully I'm overlooking something simple.  Address and domain names were copied and pasted so not much chance of a typo.  Also I verified on the router with the static IP under the diagnostic section it is able to resolve the IP based on the dyndns domain name.

Static office setup

Dynamic office setup

try both by IP only and IP by DNS resolved.  Thats how I've done it

Les

This is indeed the way i did it too and it worked for me

Sent from Cisco Technical Support iPad App

Weird but things started working over the weekend with no changes.

The VPN summary page now shows the IP resolved to the dyndns FQDN instead of 0.0.0.0.  Seems there's a delay in the VPN software resolving the IP?  I'm not sure what to make of it but it's working now with one site authenticating by IP and the other by IP and FQDN.

Thanks for everybody's responses.

I can conform the above problem which I am having too.

I have two brand new RV042G routers both of which are running the latest firmware (v4.2.1.02 (Jan 18 2012 14:10:55)). They both get a dynamic ip address and therefore both have dyndns.org service enabled and are correctly updating there respective IP addresses with dyndns. Both also have PPTP servers enabled and I can connect to these servers from the outside using their dyndns.org names. This means that each router is updating dyndns with its respective IP addresses and dyndns is resolving the appropriately as well.

Now here is the problem which is exactly what Eli was having too. When I try to establish a gateway-to-gateway VPN between these two routers using dynamic-ip + FDQN it appears the router does not resolve the IP address of the remote (I simply see 0.0.0.0 for the remote gateway under the .dyndns.org name of the host). This is happening at both ends of the tunnel. Neither router is resolving the name of the remote router. If I change to IP-Only and give the IP address of the routers the tunnel works great. (My dynamic IP changes about twice a day so that is why I cannot leave these as static).

It appears the problem is that somewhere the router is not resolving the dyndns names. I am not sure why/how things started working for Eli all of a sudden but for me they are still not working.

Interestingly when I go to the diagnostics tool on the router webmanagement page I can "Ping" the remote router using the dyndns name so the router is obviously able to resolve the name if it wants to. I think somewhere for some reason the VPN gateway-to-gateway tunnel portion does not want to.

I would really appreciate if someone could provide some insight.

I have tried to restart, wipe and update a lot of times so no I don't think that is the problem. I seriously think there is a bug somewhere in the router code.

I can conform the above problem which I am having too.

I have two brand new RV042G routers both of which are running the latest firmware (v4.2.1.02 (Jan 18 2012 14:10:55)). They both get a dynamic ip address and therefore both have dyndns.org service enabled and are correctly updating there respective IP addresses with dyndns. Both also have PPTP servers enabled and I can connect to these servers from the outside using their dyndns.org names. This means that each router is updating dyndns with its respective IP addresses and dyndns is resolving the appropriately as well.

Now here is the problem which is exactly what Eli was having too. When I try to establish a gateway-to-gateway VPN between these two routers using dynamic-ip + FDQN it appears the router does not resolve the IP address of the remote (I simply see 0.0.0.0 for the remote gateway under the .dyndns.org name of the host). This is happening at both ends of the tunnel. Neither router is resolving the name of the remote router. If I change to IP-Only and give the IP address of the routers the tunnel works great. (My dynamic IP changes about twice a day so that is why I cannot leave these as static).

It appears the problem is that somewhere the router is not resolving the dyndns names. I am not sure why/how things started working for Eli all of a sudden but for me they are still not working.

Interestingly when I go to the diagnostics tool on the router webmanagement page I can "Ping" the remote router using the dyndns name so the router is obviously able to resolve the name if it wants to. I think somewhere for some reason the VPN gateway-to-gateway tunnel portion does not want to.

I would really appreciate if someone could provide some insight.

I have tried to restart, wipe and update a lot of times so no I don't think that is the problem. I seriously think there is a bug somewhere in the router code.

Did you try using IP only for the remote security group and then IP by DNS resolved?  That works for me.

Hey Les ... I am not sure if I quite understand.

So here is what I have:

Router 1: Local Security Gateway: Dynamic IP + FDQN

              Domain Name: router1.dyndns.org

              Remote Security Gateay: Daynamic IP + FDQN

              Domain Name: router2.dydns.org

Router 2: Local Security Gateway: Dynamic IP + FDQN

              Domain Name: router2.dyndns.org

              Remote Security Gateay: Dynamic IP + FDQN

              Domain Name: router1.dydns.org

Router 1 and 2 both get dynamic IP on ther WAN ports.

How would you recommend chaning this scheme ??

Cheers

Harry

Router 1: Local Security Gateway: Dynamic IP + FDQN

              Domain Name: router1.dyndns.org

              Remote Security Gateay: IP by dns resolved 

              Domain Name: router2.dydns.org

Router 2: Local Security Gateway: Dynamic IP + FDQN

              Domain Name: router2.dyndns.org

              Remote Security Gateay: IP by dns resolved

              Domain Name: router1.dydns.org

I assume the local gateway is resovling correctly on both, if not just manually input the IP for now

Nope still does not work. Here is what I get in the error logs

Jan 8 00:30:18 2013VPN Log(g2gips0) #18: discarding duplicate packet; already STATE_MAIN_I3
Jan 8 00:30:18 2013VPN Log(g2gips0) #18: discarding duplicate packet; already STATE_MAIN_I3
Jan 8 00:30:18 2013VPN Log(g2gips0) #18: ignoring informational payload, type INVALID_ID_INFORMATION
Jan 8 00:30:18 2013VPN Log(g2gips0) #18: ignoring informational payload, type INVALID_ID_INFORMATION
Jan 8 00:30:24 2013VPN Logpacket from 96.49.151.217:500: received Vendor ID payload [Dead Peer Detection]
Jan 8 00:30:24 2013VPN Logpacket from 96.49.151.217:500: received Vendor ID payload [Dead Peer Detection]
Jan 8 00:30:24 2013VPN Logpacket from 96.49.151.217:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Jan 8 00:30:24 2013VPN Logpacket from 96.49.151.217:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: responding to Main Mode
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: Peer ID is ID_FQDN: '@router2.homelinux.com'
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: no suitable connection for peer '@router2.homelinux.com'
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: no suitable connection for peer '@router2.homelinux.com'
Jan 8 00:30:24 2013VPN Log(g2gips0) #19: sending encrypted notification INVALID_ID_INFORMATION to 96.49.151.217:500
Jan 8 00:30:34 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Jan 8 00:30:34 2013VPN Log(g2gips0) #19: [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
Jan 8 00:30:34 2013VPN Log(g2gips0) #19: Peer ID is ID_FQDN: '@router2.homelinux.com'
Jan 8 00:30:34 2013VPN Log(g2gips0) #19: no suitable connection for peer '@router2.homelinux.com'



Hey Les ... I took your advise and tried your setting ... didnt work .. got the errors above. Then the last line of your reply caught my attention and I tried the following:

Router 1: Local Security Gateway: IP

              Domain Name: xxx.xxx.xxx.xxx   <-- This has the WAN IP address automatically placed for router 1

              Remote Security Gateay: IP by dns resolved

              Domain Name: router2.dydns.org

Router 2: Local Security Gateway: IP

              Domain Name: yyy.yyy.yyy.yyy <-- This has the WAN IP address automatically placed for router 2

              Remote Security Gateay: IP by dns resolved

              Domain Name: router1.dydns.org

With the setting above voila it works. This tells me that most definitely the problem has to do with the Dynamic + FDQN. I still cannot figure why the router cannot resolve dynamic hostnames.

Even though this tunnel is working right now I feel it will fail the moment the WAN IP changes on router 1 or 2 because as of right now the tunnel contruct makes it look like that the local end of each tunnel is static ip which is not.