VPN Between two RV082 routers not working

tjaspering · ‎08-08-2012

We're getting the following message in the logs when we ry to connect:

encrypted Informational Exchange message is invalid because it is for incomplete ISAKMP SA

One of the router is a V2 and the other is a V4 if that makes any difference. Can someone tell me what exactly that message means?

Tom Watts · ‎08-08-2012

Hi Tom.

This means there is an issue with your phase 1 negotiation. The phase 1 negotiaties parameters to establish the ISAKMP SA. In turn, the ISAKMP SA is then used to protect the future IKE exchanges.

Double check both IKE policies to ensure completely match.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tjaspering · ‎08-08-2012

Yes, I have double checked the settings. They are exactly the same on both. This is the second tunnel for both routers. Do we need to use different settings for each tunnel perhaps?

Tom Watts · ‎08-08-2012

Hi Tom, each tunnel should have their own policy.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tjaspering · ‎08-08-2012

We're essentially using the same encryption settings for both tunnels. So, when you say we should use another policy, can that simply mean using a different shared key? Or is it something more complex than that?

Tom Watts · ‎08-08-2012

You can use all the same setting, I'd recommend a different password.

Just need to make separate policies for each tunnel pointing respectively to the correct subnets and WAN IP's

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tjaspering · ‎08-08-2012

Ok, so keeping in mind that I am a software guy, not an IT guy and this is new to me, are you saying that, for example if I used 192.168.1.0 255.255.255.0 as the local group settings for the first tunnel, that I should use something different for the second tunnel?

Tom Watts · ‎08-08-2012

Hi Tom, Please reference this picture below.

The router on the top is 192.168.1.0, let's say this is the main router.

You should have 2 IKE and VPN policies.

The local group for the first router will always be the 192.168.1.0 network. The remote groups will be that of the respective router.

For VPN 1, the local group is 192.168.1.0, remote group is 192.168.2.0. The 'main' router of course will point to the WAN ip of the 192.168.2.0 router.

For VPN 2, the same thing, local group is 192.168.1.0, remote group to be 192.168.3.0. The 'main' router will point to the WAN ip of the 192.168.3.0 router.

You need to create the policy to be unique to each router wan / local subnet.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tjaspering · ‎08-08-2012

Yes, so it looks like we have the basic setup correct. I'm not sure I understand what you mean when you refer to "policy".

Tom Watts · ‎08-08-2012

Hi Tom,

When you navigate vpn and create gateway to gateway connection, this page encompasses to facets of information. The IKE policy and IPSEC policy.

Anyway, for each connection, you need to define the properties for each unique VPN tunnel between sites.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tjaspering · ‎08-08-2012

Yes, I think the UI handles all of that for us when we added the second tunnel. Each tunnel defeinitely has it's own set of settings, though nearly all of the settings are identical.

Tom Watts · ‎08-08-2012

Tom,

Please post screen shot of the 3 router configuration for gateway to gateway pages. If the tunnels are not connecting, it is usually a misconfig between tunnels. If we can verify everything is 100% matching, then we can look to other possibilities why your tunnel does not connect.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

tjaspering · ‎08-08-2012

Looks like we have it working. We had to add firewall rules on both ends. Never saw any instructions for that anywhere.