cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3490
Views
0
Helpful
4
Replies

RV120W as VPN Client? or (Easy VPN Remote)

scottaobe
Level 1
Level 1

I have a Cisco 1811 set up as an Easy VPN Server. Can the RV120w be used as a client to connect to the 1811?

This capability was present in the older mostly discontinued 800 series and also the 1700 series and was known as Easy VPN Remote.

It allows a router with a dynamic IP address to connect to the main VPN router without configuring a site to site VPN which is not possible without a static IP address.

I see on page 108 of the RV120w administration guide/manual in the "Configuring VPN Policies section" there is a statement that says

----------------------------------------------------------------------------------------------------------------------

STEP 1 Select the XAUTH type:

• None—Disables XAUTH.

• IPsec Host—The router is authenticated by a remote gateway with a

username and password combination. In this mode, the router acts as a VPN

Client of the remote gateway.

• User Database—User accounts created in the router are used to

authenticate users. See Configuring IPsec Users, page114.

STEP 2 If you selected IPsec Host, enter the username and password for the host.

---------------------------------------------------------------------------------------------------------------------------

I think the IPsec Host setting sounds like the Easy VPN Remote option.

Has anyone tried this?

I talked to Cisco support today and as ridiculous as it sounds after two phone calls and two support tickets Icould get no one to verify this function.

I have set up the IPSec site to site VPN with a WRV210 (static IP) to the 1811 but have about a dozen remote users that do not have static IP's

Thanks for any info,

Scott

4 Replies 4

mpyhala
Level 7
Level 7

Hi Scott,

Thank you for posting. Sorry I don't have an answer regarding your question about IPsec Host. I'll have to look into that. Regarding the 1811, can you use a FQDN instead of a static IP? I have a WRV210 and a WRV200 connected (Gateway to Gateway) using free dyndns names and the tunnel has been up for over a year.

joshproano
Level 1
Level 1

Hi Scott,

I was able to get the RV120W to succesfully act as an EZVPN Client with Network Extension Mode to an ASA... I cant imagine it would be very different on a IOS router acting as a server.. Heres what I did.

One the IKE Policy

Set mode to initiatior and agressive negotiation

The Local IP mode was set to FQDN (and took the name of the traditional IPSEC Group Name)

Remote is "Remote WAN IP" - This will be filled in by the VPN policy (AKA Phase2)

For the IKE SA Parameters

These should match the crypto map capabilities on the EZVPN Server for the Ecryption/Auth Algorithms

For the PreShared Key.. here is where the Group PSK goes (It will stay in the clear which is a bit of a drag)

I extended the SA lifetime on 86400 to match my server (this may not be needed for yours)

I also turned on Dead peer Detect

Xauth Type is IPSec Host, I used the Username and Password for the EZVPN Here

OK.. So now on to the VPN policies:

If you have more than one block of addresses you'll have to do more than one policy as the RV120W wont pull a split tunnel list automagically.

Policy Type Auto

Remote Endpoint IP: IP address of your concentrator

Local IP is Subnet: and I chose the subnet range for only the VLANs that are to take place in the network extension mode (ex 192.168.2.0/24)

Remote IP is Subnet: and there is where you'll have to do you blocks of IPs that are relevant to you organization..  (ex.10.1.0.0/16)

Again make sure that the encryption and auth algorithms are supported in your crypto map..

The big one here is the DiffHel2 check box is unchecked by default and I dont know of an EZVPN that doesnt use PFS so thats one that took me a couple of stares before I caught it.

Be sure your IKE policy is selected abouve and you should be good to go.

Also FYI I have possibly found a bug with the xAUTH component. So if you do get this working let it cook for a few days before calling joy!

JP

I am having trouble getting the above to work. I have a UC520 as the server and I can connect to the VPN from a computer using the client no problems but with the RV120W I cant get past phase 2.

I have used CCA to config the EZVPN on the UC520 and followed the above instructions. I have also tweeked things in case the encryption is different also.

My log from the RV120W is as follows:

2011-10-19 07:59:17: [rv120w][IKE] INFO:  Using IPsec SA configuration: 192.168.2.0/24<->192.168.1.0/24

2011-10-19 07:59:17: [rv120w][IKE] INFO:  remote configuration for identifier "XXX.net" found

2011-10-19 07:59:17: [rv120w][IKE] INFO:  Initiating new phase 1 negotiation: 192.168.10.2[500]<=>XXX.XXX.XXX.XXX[500]

2011-10-19 07:59:17: [rv120w][IKE] INFO:  Beginning Aggressive mode.

2011-10-19 07:59:17: [rv120w][IKE] INFO:  NAT-Traversal is Enabled

2011-10-19 07:59:17: [rv120w][IKE] INFO:   [agg_i1send:256]: XXX: NUMNATTVENDORIDS: 3

2011-10-19 07:59:17: [rv120w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 4

2011-10-19 07:59:17: [rv120w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 8

2011-10-19 07:59:17: [rv120w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 9

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received Vendor ID: CISCO-UNITY

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received Vendor ID: DPD

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received unknown Vendor ID

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received Vendor ID: RFC 3947

2011-10-19 07:59:18: [rv120w][IKE] INFO:  NAT-D payload does not match for 192.168.10.2[500]

2011-10-19 07:59:18: [rv120w][IKE] INFO:  NAT-D payload does not match for XXX.XXX.XXX.XXX [500]

2011-10-19 07:59:18: [rv120w][IKE] INFO:  For XXX.XXX.XXX.XXX [500], Selected NAT-T version: RFC 3947

2011-10-19 07:59:18: [rv120w][IKE] INFO:  NAT detected: ME PEER

2011-10-19 07:59:18: [rv120w][IKE] INFO:  for debugging :: changing ports2011-10-19 07:59:18: [rv120w][IKE] INFO:  port changed !!

2011-10-19 07:59:18: [rv120w][IKE] INFO:  ISAKMP-SA established for 192.168.10.2[4500]-XXX.XXX.XXX.XXX[4500] with spi:6df780709f5981a6:57b31c3779b02ea8

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Initiating new phase 2 negotiation: 192.168.10.2[0]<=>XXX.XXX.XXX.XXX[0]

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Adjusting encryption mode to use UDP encapsulation

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received attribute type "ISAKMP_CFG_REQUEST" from

XXX.XXX.XXX.XXX[4500]

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored short attribute 13

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored attribute 14

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored attribute 15

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received attribute type "ISAKMP_CFG_REQUEST" from

XXX.XXX.XXX.XXX[4500]

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored short attribute 13

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored attribute 14

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored attribute 15

2011-10-19 07:59:18: [rv120w][IKE] INFO:  Received attribute type "ISAKMP_CFG_REQUEST" from

XXX.XXX.XXX.XXX[4500]

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored short attribute 13

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored attribute 14

2011-10-19 07:59:18: [rv120w][IKE] WARNING:  Ignored attribute 15

2011-10-19 08:00:08: [rv120w][IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=6df780709f5981a6:57b31c3779b02ea8.

2011-10-19 08:00:18: [rv120w][IKE] ERROR:  Phase 2 negotiation failed due to time up. 6df780709f5981a6:57b31c3779b02ea8:ee850587

2011-10-19 08:00:18: [rv120w][IKE] INFO:  an undead schedule has been deleted: 'quick_i1prep'.

2011-10-19 08:00:18: [rv120w][IKE] INFO:  ISAKMP-SA deleted for 192.168.10.2[4500]-XXX.XXX.XXX.XXX[4500] with spi:6df780709f5981a6:57b31c3779b02ea8

Hello Jason! Hope you are doing good I was wondering, did you finally get the UC520 and RV120W scenario to work? I am about to get a RV120W and was asked by a customer to connect it via VPN to a UC520 acting as a VPN Server.

Thank you very much in advance! My best regards,

Adrian