Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1601
Views
0
Helpful
2
Replies

Problems with vpn and pptp

mdavidson58
Level 1
Level 1

‎07-06-2011 03:53 PM

I have an RV016 with 3 dsl connections.  I am running 3.0.2.01 tm of the RV016 firmware.  Each dsl connection is behind a Netopia 3000.   I have one netopia in bridge mode bridging the external ip to the internal.  I have one in "gateway" mode.  I am mapping all IP traffic to the internal gateway address of that model.  The third interface has been disconnected so I can debug the pptp and vpn issues.

ex:  Bridge Int:

     Netopia Int  70.xxx.xxx.xxx

      RV016 Int: DHCP and becomes the same as the bridge

       Gateway Int:

     Netopia Ext 70.xxx.xxx.xxx

     Netopia Int  192.168.1.254

     Netopia "default server" maps ext interface to 192.168.1.1

     RV016 Int: 192.168.1.1

I have configured PPTP and I see in the logs that port 1723 has a successful connection and the Windows 7 (and iphone) PPTP client begins authenticating.  I have a simple account set up and both the iphone and windows 7 pptp clients will prompt that it is authenticating user/password and then fail the pptp session. 

I get the exact same problem on the bridged interface as I do the gateway interface.  I have used two different PPTP clients (iphone and Windows 7) and at least 4 different windows 7 computers and still have the same issue. 

I have also configured a client to gateway ipsec.  I am using the shrewsoft ipsec client.  My settings are as follows:






Remote Client Setup

Remote Client

Domain Name



IPSec Setup

Keying Mode:

IKE with Preshared key

Phase1 DH Group

Phase1 Encryption

Phase1 Authentication

Phase1 SA Life Time

Perfect Forward Secrecy

Phase2 DH Group

Phase2 Encryption

Phase2 Authentication

Phase2 SA Life Time

Preshared Key

I am setup using IKE over NAT.  My ipsec client is configured identically.  The client will retry the initial IKE negotiation 3 times then fail.  I do NOT see any logging information for the IKE session in the RV016 log files.

I have ALSO configured QVPN clients and none of these are working properly on any of my interfaces.  I have connected the RV016 to a test lan and also cannot get these interfaces to work bypassing the netopias/internet altogether.  I am either having an issue with the firmware and/or the hardware.  I have tried to upgrade to 4.0 of the firmware but that failed.  I have to have the vpn up by next week to support Cisco Live attendees.  I would appreciate your support.

Labels:
0 Helpful
2 Replies 2

josomm
Level 1
Level 1

‎07-06-2011 04:23 PM

Out of thin air, some things to think about or try - just thinking out loud...

- Is there any filtering in front of either the client or the RV?

- You mentioned nothing in the logs - anything show up with a sniffer?

- What about client logs? Somewhere there must be a hint of what is not jibing...

- How about taking the shrewsoft/qvpn clients and point them to another box? To verify they are functioning...

- What about dropping down from AES256 to AES128 or even triple des?

- PPTP nad NAT potentially don't play well together - is there NAT going on in front of the clients or the box itself?

- Is UDP 4500 open both ways? Is it being passed inbound where appropriate? No ACL's, filtering, etc.

- Have you tried downgrading and/or upgrading firmware? clients?

- You mentioned issues w/ upgrading firmware. Factory reset and try again?

Sorry I don't have anything concrete - hopefully some of the above will nudge this in the positive direction.

Support can also assist with this as well...

0 Helpful

mdavidson58
Level 1
Level 1
In response to josomm

‎07-06-2011 06:45 PM

The client show the following messages:

1/07/06 21:38:49 >> : security association payload

11/07/06 21:38:49 >> : - proposal #1 payload

11/07/06 21:38:49 >> : -- transform #1 payload

11/07/06 21:38:49 >> : -- transform #2 payload

11/07/06 21:38:49 >> : -- transform #3 payload

11/07/06 21:38:49 >> : -- transform #4 payload

11/07/06 21:38:49 >> : -- transform #5 payload

11/07/06 21:38:49 >> : -- transform #6 payload

11/07/06 21:38:49 >> : -- transform #7 payload

11/07/06 21:38:49 >> : -- transform #8 payload

11/07/06 21:38:49 >> : -- transform #9 payload

11/07/06 21:38:49 >> : key exchange payload

11/07/06 21:38:49 >> : nonce payload

11/07/06 21:38:49 >> : identification payload

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports nat-t ( draft v00 )

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports nat-t ( draft v01 )

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports nat-t ( draft v02 )

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports nat-t ( draft v03 )

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports nat-t ( rfc )

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports FRAGMENTATION

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local supports DPDv1

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local is SHREW SOFT compatible

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local is NETSCREEN compatible

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local is SIDEWINDER compatible

11/07/06 21:38:49 >> : vendor id payload

11/07/06 21:38:49 ii : local is CISCO UNITY compatible

11/07/06 21:38:49 >= : cookies 2ee1cb6c3c9f4389:0000000000000000

11/07/06 21:38:49 >= : message 00000000

11/07/06 21:38:49 -> : send IKE packet 192.168.1.58:500 -> x.x.x.x:500 ( 814 bytes )

11/07/06 21:38:49 DB : phase1 resend event scheduled ( ref count = 2 )

11/07/06 21:38:49 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )

11/07/06 21:38:54 -> : resend 1 phase1 packet(s) [0/2] 192.168.1.58:500 -> x.x.x.x:500

11/07/06 21:38:59 -> : resend 1 phase1 packet(s) [1/2] 192.168.1.58:500 -> x.x.x.x:500

11/07/06 21:39:04 -> : resend 1 phase1 packet(s) [2/2] 192.168.1.58:500 -> x.x.x.x:500

11/07/06 21:39:09 ii : resend limit exceeded for phase1 exchange

11/07/06 21:39:09 ii : phase1 removal before expire time

11/07/06 21:39:09 DB : phase1 deleted ( obj count = 0 )

11/07/06 21:39:09 DB : tunnel ref decrement ( ref count = 1, obj count = 1 )

11/07/06 21:39:09 DB : policy not found

11/07/06 21:39:09 DB : policy not found

11/07/06 21:39:09 DB : policy not found

11/07/06 21:39:09 DB : policy not found

11/07/06 21:39:09 DB : policy not found

11/07/06 21:39:09 DB : policy not found

11/07/06 21:39:09 DB : removing tunnel config references

11/07/06 21:39:09 DB : removing tunnel phase2 references

11/07/06 21:39:09 DB : removing tunnel phase1 references

11/07/06 21:39:09 DB : tunnel deleted ( obj count = 0 )

11/07/06 21:39:09 DB : peer ref decrement ( ref count = 1, obj count = 1 )

11/07/06 21:39:09 DB : removing all peer tunnel refrences

11/07/06 21:39:09 DB : peer deleted ( obj count = 0 )

11/07/06 21:39:09 ii : ipc client process thread exit ...

the vpn log on the Rv016 shows the following:

57 2011    VPN Log   Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-00]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [16f6ca16e4a4066d...]
Jul 6 20:37:57 2011    VPN Log   Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 6 20:37:57 2011    VPN Log   Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-03]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [4a131c8107035845...]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [4048b7d56ebce885...]
Jul 6 20:37:57 2011    VPN Log   Received Vendor ID payload Type = [Dead Peer Detection]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [3b9031dce4fcf88b...]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [f14b94b7bff1fef0...]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [166f932d55eb64d8...]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload [8404adf9cda05760...]
Jul 6 20:37:57 2011    VPN Log   Ignoring Vendor ID payload Type = [Cisco-Unity]
Jul 6 20:37:57 2011    VPN Log   [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
Jul 6 20:37:57 2011    VPN Log   Initial Aggressive Mode message from x.x1.x.x but no (wildcard) connection has been configured
Jul 6 20:37:57 2011    VPN Log   Initial Aggressive Mode message from x.x.x.x but no (wildcard) connection has been configured

I don't have another box to test the vpn clients with..but DID test the pptp and that works outside of the rv016. 

In testing, i dropped all the way to DES and still got the same issue. 

There is no firewall in place blocking any traffic.  Unless the RV016 is blocking 4500 from itself. 

No, I didn't downgrade but I did do a factory reset several times. 

Thanks for the suggestions.

0 Helpful
Customers Also Viewed These Support Documents