03-28-2011 09:43 AM
Hi all
I have a new RV042 v03 with 4.0.0.07 firmware. It's the gateway router at a client with a static IP address. I'm trying to configure a VPN tunnel so that they can access office resources from "road-warrior"-type situations (laptop at home or elsewhere). I have two problems:
1) (less important) I cannot log into the router's interface from Safari 5.0.x. After logging in to the router, I'm kicked back out to the login prompt. It seems to work fine from Firefox 4.
2) This is the real issue - I cannot get a VPN GroupVPN (or Client to Gateway, for that matter) connection working with IPSecuritas on the Mac. At all.
On the client side, I get the following errors:
IKE - Foreground mode.
IKE - none message must be encrypted. (repeated several times)
Here are the VPN messages from the router (shortened to remove duplicate messages). (The connecting IP address is dynamic, so I haven't obscured it.) From the remote side, I'm going through an Apple Airport Extreme, which should passthrough IPSec traffic just fine.
VPN Log packet from 74.66.69.139:500: received Vendor ID payload [Dead Peer Detection]]
VPN Log packet from 74.66.69.139:500: [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Peer ID is ID_FQDN: '@bgs_remote'
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: responding to Aggressive Mode, state #70, connection 'grpips0' from 74.66.69.139 VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: [Tunnel Negotiation Info] >>> Responder Send Aggressive Mode 2nd packet
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: packet rejected: should have been encrypted
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification INVALID_FLAGS to 74.66.69.139:500
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: packet rejected: should have been encrypted
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification INVALID_FLAGS to 74.66.69.139:500
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: packet rejected: should have been encrypted
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification INVALID_FLAGS to 74.66.69.139:500 Mar 28 12:16:47 2011 VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: sending notification PAYLOAD_MALFORMED to 74.66.69.139:500
VPN Log (grpips0)[5] 10.128.1.0/24=== ...74.66.69.139===? #70: encrypted Informational Exchange message is invalid because no key is known
NOTE: I CAN successfully connect to this tunnel using VPN Tracker 6, but if I can get IPSecuritas working, I'd rather use that.
Here are the settings I'm using.
Router VPN (this is in dual-WAN mode, but only has one active WAN connection at WAN1):
GroupVPN
Interface: WAN1
Local group: Subnet
IP: 10.128.1.0
Mask: 255.255.255.0
Remote group: FQDN
Domain name: bgs_remote
IPSec:
IKE / Preshared key
Phase 1: Group 2 (1024) / 3DES / SHA1 / 28800 secs
PFS is ON
Phase 2: Group 2 (1024) / 3DES / SHA1 / 3600 secs
Preshared key is set.
Advanced: Aggressive mode, Keep-alive are ON.
IPSecuritas settings:
Remote device: x.x.x.x (correctly set to router static IP).
Local: Endpoint is host, IP address blank
Remote: Network, 10.128.1.0/24
Phase 1: Group 2 (1024) / 3DES / SHA1 / 28800 secs
Exchange: Aggressive, Proposal: Claim (have also tried Obey and Check)
Nonce size: 16
Phase 2: Group 2 (1024) / 3DES / SHA1 / 3600 secs
Local ID - FQDN: bgs_remote
Remote ID: Address
Preshared key is set and identical to that on router.
DNS - Not set.
Options - IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Generate Policy, Support Proxy are ON
(I've also tried changing these options, without success so far).
Here are the VPN Tracker settings, which DO work:
VPNTracker settings:
Gateway: x.x.x.x (correct router address)
Network: Host to network
Local: blank
Remote networks: 10.128.1.0/24
Authentication: Pre-shared key (stored)
IDs:
Local: FQDN - bgs_remote
Remote: Don't verify
Phase 1:
Mode: Aggressive
Group 2 (1024) / 3DES / SHA1 / 28800 secs
Phase 2:
Group 2 (1024) / 3DES / SHA1 / 3600 secs
NAT-T: automatic
INITIAL-CONTACT is off ("On" also works.)
DPD-capable: ON / 20 seconds
Now, I've used an older Linksys-branded RV042 (with 1.3.12) and have successfully connected with IPSecuritas using GroupVPN.
But this version has me stumped.
Can anyone offer any help or suggestions? Will provide more info if required.
Many thanks!
Matt
05-18-2012 01:36 PM
Did you ever find a resolution to your problem? I'm having basically the same problem (RV042 v3 and IPSecuritas) and figured before I start a new thread, I'd see if this one had any solution. Thanks.
05-24-2012 03:36 PM
Nope, I ended up buying VPNTracker for the client. But let me know if you find a solution!
Matt
05-24-2012 03:57 PM
RV042 supports 5 PPTP VPN clients, which is supported on most opeating systems including Mac.
09-25-2017 11:06 AM
Oh no, this is a really old thread....
The Safari issue might be fixed, but I have the same router and the same problem. Mac stopped supporting PPTP with Sierra, and although I worked with a Cisco rep to get an IPSecuritas profile working with a static IP, my client doesn't have a static IP at home or on the road.
She hasn't been able to use the VPN in months since updating to Sierra. We're so desperate I'm considering opening a support contract just to fix it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide