Solved: Cisco RV220W IPSec VPN Problem Local configuration for does not

petersmike · ‎03-06-2013

Dear All,

I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems there is a problem with Mode-Config ?

What must be changed or where is my fault ?

I have Setup IPSec according to the RV220W Admin Guide. Client is Mac with Mac VPN Cisco IPSec, I have also tried NCP Secure Client.

I have 3 other locations where the config on my Mac works fine, but VPN router is not Cisco.

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Remote configuration for identifier "remote.com" found

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received request for new phase 1 negotiation: x.x.x.x[500]<=>2.206.0.67[53056]

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Beginning Aggressive mode.

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received Vendor ID: RFC 3947

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received unknown Vendor ID

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received Vendor ID: CISCO-UNITY

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: Received Vendor ID: DPD

2013-03-07 01:55:49: [CiscoFirewall][IKE] INFO: For 2.206.0.67[53056], Selected NAT-T version: RFC 39472013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: Floating ports for NAT-T with peer 2.206.0.67[52149]

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: NAT-D payload matches for x.x.x.x[4500]

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: NAT-D payload does not match for 2.206.0.67[52149]

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: NAT detected: Peer is behind a NAT device

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: Sending Xauth request to 2.206.0.67[52149]

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: ISAKMP-SA established for x.x.x.x[4500]-2.206.0.67[52149] with spi:1369a43b6dda8a7d:fd874108e09e207e

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 2.206.0.67[52149]

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: Login succeeded for user "Testuser"

2013-03-07 01:55:50: [CiscoFirewall][IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 2.206.0.67[52149]

2013-03-07 01:55:50: [CiscoFirewall][IKE] ERROR: Local configuration for 2.206.0.67[52149] does not have mode config

2013-03-07 01:55:50: [CiscoFirewall][IKE] WARNING: Ignored attribute 5

2013-03-07 01:55:50: [CiscoFirewall][IKE] ERROR: Local configuration for 2.206.0.67[52149] does not have mode config

2013-03-07 01:55:50: [CiscoFirewall][IKE] WARNING: Ignored attribute 28678

2013-03-07 01:55:50: [CiscoFirewall][IKE] ERROR: Local configuration for 2.206.0.67[52149] does not have mode config

2013-03-07 01:55:50: [CiscoFirewall][IKE] WARNING: Ignored attribute 28683

2013-03-07 01:56:07: [CiscoFirewall][IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=1369a43b6dda8a7d:fd874108e09e207e.

2013-03-07 01:56:08: [CiscoFirewall][IKE] INFO: ISAKMP-SA deleted for x.x.x.x[4500]-2.206.0.67[52149] with spi:1369a43b6dda8a7d:fd874108e09e207e

Tom Watts · ‎03-06-2013

Hi Mike, the built-in MAC client will not work with the RV220W. The reason being, the MAC IPSec client is the same as the Cisco 5.x VPN client.

The reason this matters is because the 5.x client only works on certain small business products which include the SRP500 and SA500 series.

I would recommend you look in to using a VPN client such as Greenbow or IPSecuritas.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎03-07-2013

Hi Mike, SSL is through web browser only because it uses a "portal page". Anyconnect also does not work on this product due to the nature of the VPN (same nature as the older Cisco 5.x client). These VPN clients were designed to work with IOS products while the majority of the small business products were designed not to use these clients as a way to separate the prodct lines and feature sets.

I do not know how an IPAD works but if you're able to install IPSecuritas, this client works perfectly normal for Mac platforms.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎03-06-2013

Hi Mike, the built-in MAC client will not work with the RV220W. The reason being, the MAC IPSec client is the same as the Cisco 5.x VPN client.

The reason this matters is because the 5.x client only works on certain small business products which include the SRP500 and SA500 series.

I would recommend you look in to using a VPN client such as Greenbow or IPSecuritas.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

petersmike · ‎03-07-2013

Hi Tom, thanks a lot for the fast answer and support, really appreciated.

For my understanding the IPSec Feature is then not fully implemented in this router ? More optimized for the QuickVPN client ?

If I would like to access the IPSec VPN by iPad I would have the same problem that the iPad Cisco client won't work.

PPTP is no option anymore.

For SSL VPN without browser access / usage I would need a client like Cisco Anyconnect for Mac, iPad and Win but the client needs a license as far as I understand.

Tom Watts · ‎03-07-2013

Hi Mike, SSL is through web browser only because it uses a "portal page". Anyconnect also does not work on this product due to the nature of the VPN (same nature as the older Cisco 5.x client). These VPN clients were designed to work with IOS products while the majority of the small business products were designed not to use these clients as a way to separate the prodct lines and feature sets.

I do not know how an IPAD works but if you're able to install IPSecuritas, this client works perfectly normal for Mac platforms.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

petersmike · ‎03-12-2013

Tom, thanks a lot, IPSecuritas works fine with the Mac, but I don't want to be limited to Mac only, iPad and iPhone BYOD is coming soon, also Win8 will be rolled out and only standard IPsec implementations will be allowed or access via SSL-VPN client, not SSL-VPN web / webclient / webinstall due to ActiveX / Java limitations and the needed drive access.

It is nice that someone at Cisco makes politics and cuts off router features to promote the bigger IOS products, but then marketing should clearly show these limitations that IPsec will only work with QuickVPN and compatible clients like IPSecuritas and this router is not compatible to standard IPsec implementations with Preshared Key and XAuth even these options and functionality are described in the admin guide and device emulator !

My understandig from the product marketing was it will fully supports IPsec but I was wrong. Marketing tells it will do IPsec also the online device emulator cleary states "Standard IPsec (XAuth)"

https://www.cisco.com/web/sbtg/gui_mockups/RV220W_v1/xauthUserConfig.htm

I like this router and its rich featuresets, VLAN taggins and Intervlanrouting, but if the device is not capable to handle all sorts of standard IPsec clients it is useless for me. Hopefully there will be a firmware update to get the router uptodate, IPsec is the standard, PPTP is no longer accepted to be secure and all devices iPad, iPhone, Android Phone, Tablet, PC, Mac do support the standard IPsec without any installs. I understand the promotion of the IOS Series, but that is far away from Small Business and other vendors do have SMB Product in the same pricing range which fully support IPsec, I have got one yesterday, I just need to edit a simple config file by vi and it works with all clients, pricing is the same as the RV220W, but the routing and VLAN features are missing.

The seperation from my side of view to IOS should be the throughput, this should seperate SMB from IOS. I cannot put an IOS router in any office, I need a solutions which allows the small offices to usw SMB stuff and the main offices IOS, but all must be compatible to IPsec standard.

I'm currently testing the third party router for IPsec access which works fine and the RV220W behind it for VLAN, DHCP, WLAN etc.

scheid1963 · ‎01-12-2014

The RV220W ist a waste on money if one needs IPSEC.

This thread was very helpful. Now I know why I will never get IPSEC running ...

this is after weeks of discussions with the support guys at CISCO.

Which router did you test?

BTW RV220W also has problems with Bonjour, 5GHz wireless does not work.

So, Mac users, beware!

Barbaro Lopez · ‎02-13-2014

It is not a waste of money. I though the same, but the RV220W actually works with IPSec

Lack of support is more descriptive of the problem..

This document explains how to set up the RV220w for IPSec, and connecting using free IPSec clients on both Windows and MacOS.

ENJOY!

https://drive.google.com/file/d/0B0EERf9TN4v1Ym9uaWRlMXhfVGM/edit?usp=sharing

Cisco RV220W IPSec VPN Problem Local configuration for does not have mode config