cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Announcement“Cisco Design Thinking Workshop”. Cisco Small Business is excited to invite its Silicon Valley customers to an exclusive interactive one-day session between customers and product Managers.  If you are interested in this exclusive workshop, please fill out the Registration Form. For more information, please check out our FAQ


Get the latest new and information the November issue of the Cisco Small Business Monthly Newsletter

7736
Views
0
Helpful
4
Replies
Beginner

Site-to-Site VPN with ISP problems

I have an ISA500 box on a Static IP given by my ISP with the following address. This shall be called site 1

222.127.117.XXX

I have an RV042 box on a Dynamic IP with the following address. This shall be called site 2

112.209.218.XXX

So I tried connection the two devices with the same settings of IKE policies. The logs are show below.

May 2 17:44:33 2013VPN Log packet from 222.127.171.207:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
May 2 17:44:33 2013VPN Log packet from 222.127.171.207:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 2 17:44:33 2013VPN Log packet from 222.127.171.207:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 2 17:44:33 2013VPN Log packet from 222.127.171.207:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
May 2 17:44:33 2013VPN Log packet from 222.127.171.207:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
May 2 17:44:33 2013VPN Log packet from 222.127.171.207:500: initial Main Mode message received on   112.209.218.252:500 but no connection has been authorized with   policy=PSK

What bothers me is the phrase of packet  from 222.127.171.207:500: initial Main Mode message received on   112.209.218.252:500 but no connection has been authorized with   policy=PSK. This is not my IP on site 1 but this is what is  seen from my site 2 logs. I tried changing the site 2 settings to wait  for a connection from 222.127.171.207 and oddly enough, the connection  was OK. But I can not ping any of my computers on the internal network.

I have read somewhere that my ISP is doing the NAT that is why a different IP address comes out.

Help please.

Everyone's tags (3)
4 REPLIES 4
Rising star

Site-to-Site VPN with ISP problems

Hi Dan, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I apologize for this inconvenience you are having Dan, Do you have any access list in your device? It is possible that ACL deny the access.

Also I advise you to check this document bellow, specially the Firewall part #3.

https://supportforums.cisco.com/docs/DOC-29399

Do you make any change in your firewall or VPN tunnel lately?

“Please rate useful posts so other users can benefit from it”

Greetings, 
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
Contributor

Site-to-Site VPN with ISP problems

Dan,

From behind Site 1, if you go to www.myipaddress.com, does it come up with the .207 address or your IP that you have assigned to your ISA500?

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

Site-to-Site VPN with ISP problems

Hi Jonathan, the ACL on my Site1 allows a VPN to LAN permit rule by Default. I already performed the steps on the guide even before making this discussion. Screenshot below of my settings on Site2.

Here is a screenshot of my ACL on my site2.

Hi Shawn, here is a screenshot below from www.myipaddress.com. It is not the WAN1 IP of my ISA500. I think it is a server of my ISP. In my first post I declared that my IP WAN is 222.127.117.XXX. Any explanation will help.

Contributor

Re: Site-to-Site VPN with ISP problems

Dan,
I think you're on the right track with your ISP being the issue. Since you're seeing the wrong IP hitting your VPN Peer at Site 2 and seeing the wrong IP at myipaddress.com, odds are your ISP is using a proxy for traffic. That won't work in the realm of VPNs. Especially considering Site 2 is DHCP so the tunnel must establish from Site 1.
I would recommend contacting your ISP and confirming this is the case. If it's not, I'd ask them why this behavior is happening. It has to be on their end. If the do confirm, I'd request they add an exception rule for the IP(s) they've given you. Once they get that corrected, you should be good to go.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.