cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4511
Views
5
Helpful
10
Replies

VPN L2TP/IPSec between RV340 and Android 8.0/ Windows 7 clients (partially solved)

Hello everyone,

I have a RV340 version 1.0.02.16 (new firmware) and I am trying to create a L2TP / IPSec vpn for Windows 7 and Android 8.0 clients.
In Android, the vpn was created and disconnected as quickly. Under windows I always have a 789 error.

I test between 2 local routers (B-Box Proximus and RV340)
B-Box has IP 192.168.1.254 in Wan and 172.31.1.1 in LAN
B-Box has a DMZ configured to RV340 in 192.168.1.254

What's the problem ?

thank you in advance

Here is Config and Log of RV340

configuration IPSEC Profiles
-----------------------------
profile name : test
Keying mode : auto
IKE Version : IKEv1

Phase 1 Options
DH Group : Group2 - 1024bit
Encryption : 3DES
Authtentification : MD5
SA Lifetime : 3600

Phase 2 Options
Protocol Selection: ESP
Encryption : 3DES
Authtentification : MD5
SA Lifetime : 3600
Perfect Forwar secrecy : disable

Configuration L2TP server
-------------------------
L2TP Server : On
MTU : 1400

Adress Pool
Start IP Adress : 192.168.31.1
End IP Adress : 192.168.31.25
DNS1 IP Adresse : 8.8.8.8
DNS2 IP Adresse : 195.238.2.21
IPSec : On
IPSec Profile : test
Pre-shared Key : *****************

2019-02-08T18:10:04+01:00 <info>charon: 15[IKE] CHILD_SA l2tp_l2tpOverIpsec_wan1{11} established with SPIs c8b7d27a_i 0ffc93dd_o and TS 192.168.1.254/32[udp/l2f] === 192.168.1.41/32[udp]
2019-02-08T18:10:07+01:00 <info>charon: 11[IKE] deleting IKE_SA l2tp_l2tpOverIpsec_wan1[122] between 192.168.1.254[192.168.1.254]...192.168.1.41[192.168.1.41]

2019-02-08T18:10:02+01:00 <info>charon: 09[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (724 bytes)
2019-02-08T18:10:02+01:00 <info>charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] received FRAGMENTATION vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] received DPD vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] 192.168.1.41 is initiating a Main Mode IKE_SA
2019-02-08T18:10:02+01:00 <info>charon: Last message '09[IKE] 192.168.1.41' repeated 1 times, supressed by syslog-ng on router4460AF
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] IKE_SA (unnamed)[122] state change: CREATED => CONNECTING
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] sending XAuth vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] sending DPD vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] sending Cisco Unity vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] sending FRAGMENTATION vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[IKE] sending NAT-T (RFC 3947) vendor ID
2019-02-08T18:10:02+01:00 <info>charon: 09[ENC] generating ID_PROT response 0 [ SA V V V V V ]
2019-02-08T18:10:02+01:00 <info>charon: 09[NET] sending packet: from 192.168.1.254[500] to 192.168.1.41[500] (176 bytes)
2019-02-08T18:10:02+01:00 <info>charon: 10[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (220 bytes)
2019-02-08T18:10:02+01:00 <info>charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-02-08T18:10:03+01:00 <info>charon: 10[IKE] FSLDBG: Now searching for PSK with :my_id,me,other_id,other: '192.168.1.254'[192.168.1.254] - '(null)'[192.168.1.41]
2019-02-08T18:10:03+01:00 <info>charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-02-08T18:10:03+01:00 <info>charon: 10[NET] sending packet: from 192.168.1.254[500] to 192.168.1.41[500] (236 bytes)
2019-02-08T18:10:03+01:00 <info>charon: 06[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (76 bytes)
2019-02-08T18:10:03+01:00 <info>charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH ]
2019-02-08T18:10:03+01:00 <info>charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.1.254...192.168.1.41[192.168.1.41]
2019-02-08T18:10:03+01:00 <info>charon: 06[CFG] selected peer config l2tp_l2tpOverIpsec_wan1
2019-02-08T18:10:03+01:00 <info>charon: 06[IKE] IKE_SA l2tp_l2tpOverIpsec_wan1[122] established between 192.168.1.254[192.168.1.254]...192.168.1.41[192.168.1.41]
2019-02-08T18:10:03+01:00 <info>charon: Last message '06[IKE] IKE_SA l2tp_' repeated 1 times, supressed by syslog-ng on router4460AF
2019-02-08T18:10:03+01:00 <info>charon: 06[IKE] IKE_SA l2tp_l2tpOverIpsec_wan1[122] state change: CONNECTING => ESTABLISHED
2019-02-08T18:10:03+01:00 <info>charon: 06[IKE] scheduling reauthentication in 3271s
2019-02-08T18:10:03+01:00 <info>charon: 06[IKE] maximum IKE_SA lifetime 3451s
2019-02-08T18:10:03+01:00 <info>charon: 06[ENC] generating ID_PROT response 0 [ ID HASH ]
2019-02-08T18:10:03+01:00 <info>charon: 06[NET] sending packet: from 192.168.1.254[500] to 192.168.1.41[500] (68 bytes)
2019-02-08T18:10:03+01:00 <info>charon: 13[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (92 bytes)
2019-02-08T18:10:03+01:00 <info>charon: 13[ENC] parsed INFORMATIONAL_V1 request 2236545441 [ HASH N(INITIAL_CONTACT) ]
2019-02-08T18:10:04+01:00 <info>charon: 08[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (652 bytes)
2019-02-08T18:10:04+01:00 <info>charon: 08[ENC] parsed QUICK_MODE request 3560604964 [ HASH SA No ID ID ]
2019-02-08T18:10:04+01:00 <info>charon: 08[IKE] received 28800s lifetime, configured 3600s
2019-02-08T18:10:04+01:00 <info>charon: 08[ENC] generating QUICK_MODE response 3560604964 [ HASH SA No ID ID ]
2019-02-08T18:10:04+01:00 <info>charon: 08[NET] sending packet: from 192.168.1.254[500] to 192.168.1.41[500] (164 bytes)
2019-02-08T18:10:04+01:00 <info>charon: 15[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (60 bytes)
2019-02-08T18:10:04+01:00 <info>charon: 15[ENC] parsed QUICK_MODE request 3560604964 [ HASH ]
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD]   using 3DES_CBC for encryption
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD]   using HMAC_MD5_96 for integrity
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD] adding inbound ESP SA
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD]   SPI 0xc8b7d27a, src 192.168.1.41 dst 192.168.1.254
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD] adding outbound ESP SA
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD]   SPI 0x0ffc93dd, src 192.168.1.254 dst 192.168.1.41
2019-02-08T18:10:04+01:00 <info>charon: 15[IKE] CHILD_SA l2tp_l2tpOverIpsec_wan1{11} established with SPIs c8b7d27a_i 0ffc93dd_o and TS 192.168.1.254/32[udp/l2f] === 192.168.1.41/32[udp]
2019-02-08T18:10:04+01:00 <info>charon: Last message '15[IKE] CHILD_SA l2t' repeated 1 times, supressed by syslog-ng on router4460AF
2019-02-08T18:10:04+01:00 <info>charon: 15[CHD] updown: uci: Entry not found
2019-02-08T18:10:06+01:00 <debug>xl2tpd: control_finish: Peer requested tunnel 60818 twice, ignoring second one.
2019-02-08T18:10:06+01:00 <notice>xl2tpd: Connection established to 192.168.1.41, 42483.  Local: 5655, Remote: 60818 (ref=0/0).  LNS session is 'default'
2019-02-08T18:10:06+01:00 <warning>xl2tpd: L2TP tunnels used:0.
2019-02-08T18:10:06+01:00 <debug>xl2tpd: start_pppd: I'm running:
2019-02-08T18:10:06+01:00 <debug>xl2tpd: /usr/sbin/pppd
2019-02-08T18:10:06+01:00 <debug>xl2tpd: passive
2019-02-08T18:10:06+01:00 <debug>xl2tpd: nodetach
2019-02-08T18:10:06+01:00 <debug>xl2tpd: 192.168.31.1:192.168.31.2
2019-02-08T18:10:06+01:00 <debug>xl2tpd: auth
2019-02-08T18:10:06+01:00 <debug>xl2tpd: require-pap
2019-02-08T18:10:06+01:00 <debug>xl2tpd: require-chap
2019-02-08T18:10:06+01:00 <debug>xl2tpd: name
2019-02-08T18:10:06+01:00 <debug>xl2tpd: l2tpsrvgw
2019-02-08T18:10:06+01:00 <debug>xl2tpd: debug
2019-02-08T18:10:06+01:00 <debug>xl2tpd: file
2019-02-08T18:10:06+01:00 <debug>xl2tpd: /etc/ppp/options.xl2tpd
2019-02-08T18:10:06+01:00 <debug>xl2tpd: ipparam
2019-02-08T18:10:06+01:00 <debug>xl2tpd: 192.168.1.41
2019-02-08T18:10:06+01:00 <debug>xl2tpd: plugin
2019-02-08T18:10:06+01:00 <debug>xl2tpd: pppol2tp.so
2019-02-08T18:10:06+01:00 <debug>xl2tpd: pppol2tp
2019-02-08T18:10:06+01:00 <debug>xl2tpd: 9
2019-02-08T18:10:06+01:00 <notice>xl2tpd: Call established with 192.168.1.41, Local: 51193, Remote: 7658, Serial: -795679477
2019-02-08T18:10:07+01:00 <info>charon: 13[KNL] interface ppp0 deleted
2019-02-08T18:10:07+01:00 <debug>xl2tpd: child_handler : pppd exited for call 7658 with code 11
2019-02-08T18:10:07+01:00 <info>xl2tpd: call_close: Call 51193 to 192.168.1.41 disconnected
2019-02-08T18:10:07+01:00 <debug>xl2tpd: result_code_avp: avp is incorrect size.  8 < 10
2019-02-08T18:10:07+01:00 <warning>xl2tpd: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
2019-02-08T18:10:07+01:00 <debug>xl2tpd: Terminating pppd: sending TERM signal to pid 7000
2019-02-08T18:10:07+01:00 <info>xl2tpd: Connection 60818 closed to 192.168.1.41, port 42483 (Result Code: expected at least 10, got 8)
2019-02-08T18:10:07+01:00 <warning>xl2tpd: network_thread: recvfrom returned error 111 (Connection refused)
2019-02-08T18:10:07+01:00 <info>charon: 08[IKE] keeping connection path 192.168.1.254 - 192.168.1.41
2019-02-08T18:10:07+01:00 <info>charon: 15[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (76 bytes)
2019-02-08T18:10:07+01:00 <info>charon: 15[ENC] parsed INFORMATIONAL_V1 request 2190434216 [ HASH D ]
2019-02-08T18:10:07+01:00 <info>charon: 15[IKE] received DELETE for ESP CHILD_SA with SPI 0ffc93dd
2019-02-08T18:10:07+01:00 <info>charon: 15[IKE] closing CHILD_SA l2tp_l2tpOverIpsec_wan1{11} with SPIs c8b7d27a_i (0 bytes) 0ffc93dd_o (0 bytes) and TS 192.168.1.254/32[udp/l2f] === 192.168.1.41/32[udp]
2019-02-08T18:10:07+01:00 <info>charon: Last message '15[IKE] closing CHIL' repeated 1 times, supressed by syslog-ng on router4460AF
2019-02-08T18:10:07+01:00 <info>charon: 15[CHD] updown: uci: Entry not found
2019-02-08T18:10:07+01:00 <info>charon: 11[NET] received packet: from 192.168.1.41[500] to 192.168.1.254[500] (92 bytes)
2019-02-08T18:10:07+01:00 <info>charon: 11[ENC] parsed INFORMATIONAL_V1 request 3378295642 [ HASH D ]
2019-02-08T18:10:07+01:00 <info>charon: 11[IKE] received DELETE for IKE_SA l2tp_l2tpOverIpsec_wan1[122]
2019-02-08T18:10:07+01:00 <info>charon: 11[IKE] deleting IKE_SA l2tp_l2tpOverIpsec_wan1[122] between 192.168.1.254[192.168.1.254]...192.168.1.41[192.168.1.41]
2019-02-08T18:10:07+01:00 <info>charon: Last message '11[IKE] deleting IKE' repeated 1 times, supressed by syslog-ng on router4460AF
2019-02-08T18:10:07+01:00 <info>charon: 11[IKE] IKE_SA l2tp_l2tpOverIpsec_wan1[122] state change: ESTABLISHED => DELETING
2019-02-08T18:10:07+01:00 <info>charon: 11[IKE] IKE_SA l2tp_l2tpOverIpsec_wan1[122] state change: DELETING => DELETING
2019-02-08T18:10:07+01:00 <info>charon: 11[IKE] IKE_SA l2tp_l2tpOverIpsec_wan1[122] state change: DELETING => DESTROYING
2019-02-08T18:10:12+01:00 <debug>xl2tpd: Unable to deliver closing message for tunnel 5655. Destroying anyway.

10 Replies 10

Hello,

 

I looked around and apparently other users were having the same problem with the RV340. Cisco support has been distributing the attached PDF...

Hi Georg Pauwen,

Thank you for your answer, I will look at pdf file hoping that it helps me to solve problem.

Best regards

Hello
Sorry for my late follow-up but I still have no solution to my problem even with the PDF document distributed by cisco.

Someone cam help me please.

Hello again,

I found the solution to the problem in an existing post (link) but it does not help me :

4. L2TP+IPsec is also an option with the RV340 series ( only if the RV is directly connected to the ISP, not behind NAT).

 

I will try otherwise.

 

Best Regards

@Georg Pauwen Georg Pauwen    The PDF you provided has a critical deletion on page 1; regards the needed IPSec profile settings hard coded into Windows L2TP/IPSec clients without disclosure of details by Microsoft.

 

O.P. Ridellec ridellec@gmail.com       posted the IPSec parameters, and they are not the right ones.     I'll repost Pauwen's PDF with title change and said IPSec parameters supplied on page 1.

Jason South
Level 1
Level 1

I've tried every settings combination available within L2TP on the RV340 and the Windows built-in VPN client will not connect.  Is this a known bug or is there some configuration missing on either the RV340 or in Windows that isn't obvious?

 

The issue seems to exist from Android as well, so it must be a bug or config issue on the RV340.

I did get L2TP to work a while back on windows using the previous firmware with PAP. I can't get it to work now on Windows 10. It's a big concern that the only workable example from Cisco is using an unencrypted password (PAP) as this seems like a big security risk.

I believe this is the reason it doesn't work on Android as I don't think Android supports PAP.

Cisco - please can you provide a Windows 10 and Android setup document for LT2P in RV340. You are advertising on you website (https://www.cisco.com/c/en/us/products/routers/rv340-dual-gigabit-wan-vpn-router/index.html) that the device supports L2TP yet there doesn't seem to be a case of anyone getting this working on the latest firmware on the latest windows OS.

Thanks.

The hours I have spent on these **** router.(RV340) First it would NOT change the ip address of the router with the newest firmware and now I find out that it won't do VPN correctly. I have spent at least 15 hours (un-billable and all I have learned is Cisco support sucks.) on fighting this thing and tried for the last 24 hours to get support to call me back. The router is going back and I will do everything I can to not buy anything else from Cisco. 

Thank you everyone for posting. I am at least relieved that I did correctly set it up. 

Hello,

 

are you using AnyConnect ?

 

As for the router, they just released a new firmware update (1.0.03.15), do you have that installed ?

 

https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.15

The first 7 hours were spent trying to change the router's ip address with the "newest" firmware. After two hours on the phone with support the support person installed an older firmware and changed the ip. Then installed the new firmware. Then refused to help me with the VPN setup (insisted that I go through the process of creating a new ticket and waiting again for support.) I tried for another 8 or so hours using the windows not the Anyconnect. (the same way we had been doing it with the old Cisco router.) I then had my brother who is a Red Hat engineer go through it with me for 2 hours but of course we did not try using an un-encrypted password. IF it only works with Anyconnect then the instructions should say that. The sales sheet should say that. I did try connecting from with Win 7 and Win 10. 

AND support never did call me back about setting up the VPN. I would get an email asking for details and with instructions but they would not call me even though I asked them to with every response. 

From what I can see it is a roll of the dice to what works with which firmware you are running. I am returning the router and moving on to something else. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco