Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About CAOliveTech
Stats
Member since
11-13-2012
5
Posts
0
Helpful
0
Solutions
Created by
CAOliveTech
in Small Business Routers
in Small Business Routers
05-23-2013
01:47 PM
05-23-2013
01:47 PM
Hey Jeffrey, Do you have any other information for me on this? Thanks.
... View more
Created by
CAOliveTech
in Small Business Routers
in Small Business Routers
05-21-2013
08:19 AM
05-21-2013
08:19 AM
Hey Jeffrey, PFS is already disabled. The RV180 is NAT'd behind another router with a dynamic IP, for that situation don't I need aggressive mode?
... View more
Created by
CAOliveTech
in Small Business Routers
in Small Business Routers
05-16-2013
09:12 AM
05-16-2013
09:12 AM
I have a RV180 v1 set up in a remote site doing gateway to gateway IPSEC tunnels to two Watchguard XTM510s (in different locations). The RV180 is behind a DSL router with a dynamic IP, so the tunnels are created using aggressive mode. DPD and NAT-T are turned on, and the tunnels will build and pass traffic without any issue. The problem I am having is that the tunnels crash regularly, see this graph: The pattern is tied to the key lifetime. When I look at the log on the RV180, it looks like the phase 1 SA and the phase 2 SA are expiring at different times, and when they expire they aren't getting recreated. A sample of the logs from the last gap of that graph is here: Wed May 15 23:29:08 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Wed May 15 23:29:28 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Wed May 15 23:29:48 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Wed May 15 23:30:06 2013 (GMT -0800): [CO-Router] [IKE] INFO: Responding to new phase 2 negotiation: 192.168.1.4[0]<=>5.5.5.225[0] Wed May 15 23:30:06 2013 (GMT -0800): [CO-Router] [IKE] INFO: Using IPsec SA configuration: 192.168.9.0/24<->192.168.0.0/26 Wed May 15 23:30:06 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting peer's encmode 61443(61443)->Tunnel(1) Wed May 15 23:30:07 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 5.5.5.225->192.168.1.4 with spi=126025766(0x7830026) Wed May 15 23:30:07 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.4->5.5.5.225 with spi=1807976333(0x6bc3878d) Wed May 15 23:30:07 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Wed May 15 23:30:08 2013 (GMT -0800): [CO-Router] [IKE] INFO: Purged IPsec-SA with proto_id=ESP and spi=2480067544(0x93d2d3d8). Wed May 15 23:30:08 2013 (GMT -0800): [CO-Router] [IKE] INFO: Purged IPsec-SA with proto_id=ESP and spi=139686414(0x853720e). Wed May 15 23:30:17 2013 (GMT -0800): [CO-Router] [IKE] INFO: ISAKMP-SA expired 192.168.1.4[4500]-5.5.5.225[4500] spi:e2eb1d36ca501ef3:63c708129bc6fb9f Wed May 15 23:30:17 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: delete payload[] Wed May 15 23:30:18 2013 (GMT -0800): [CO-Router] [IKE] INFO: ISAKMP-SA deleted for 192.168.1.4[4500]-5.5.5.225[4500] with spi:e2eb1d36ca501ef3:63c708129bc6fb9f Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 4.4.4.1->192.168.1.4 with spi=246339102(0xeaed61e) Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: Configuration found for 4.4.4.1. Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: Initiating new phase 2 negotiation: 192.168.1.4[0]<=>4.4.4.1[0] Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting encryption mode to use UDP encapsulation Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] WARNING: Ignore RESPONDER-LIFETIME notification from 4.4.4.1[4500]. Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting peer's encmode 61443(61443)->Tunnel(1) Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 4.4.4.1->192.168.1.4 with spi=29839733(0x1c75175) Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.4->4.4.4.1 with spi=3303632320(0xc4e96dc0) Wed May 15 23:36:13 2013 (GMT -0800): [CO-Router] [IKE] INFO: Purged IPsec-SA with proto_id=ESP and spi=246339102(0xeaed61e). Wed May 15 23:36:14 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] <SNIP several lines of the same between these> Wed May 15 23:58:33 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Wed May 15 23:58:48 2013 (GMT -0800): [CO-Router] [IKE] INFO: ISAKMP-SA expired 192.168.1.4[4500]-4.4.4.1[4500] spi:447f971442f56e50:e746a025318ce9f8 Wed May 15 23:58:48 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: delete payload[] Wed May 15 23:58:49 2013 (GMT -0800): [CO-Router] [IKE] INFO: ISAKMP-SA deleted for 192.168.1.4[4500]-4.4.4.1[4500] with spi:447f971442f56e50:e746a025318ce9f8 Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 192.168.1.4->5.5.5.225 with spi=1993017196(0x76cb076c) Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: Configuration found for 5.5.5.225. Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.4[500]<=>5.5.5.225[500] Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: Beginning Aggressive mode. Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT-Traversal is Enabled Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3 Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 4 Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 8 Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 9 Thu May 16 04:18:19 2013 (GMT -0800): [CO-Router] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 5.5.5.225->192.168.1.4 with spi=57594486(0x36ed276) Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: Received Vendor ID: DPD Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT-D payload does not match for 192.168.1.4[500] Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT-D payload matches for 5.5.5.225[500] Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: For 5.5.5.225[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT detected: ME Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: for debugging :: changing portsThu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: port changed !! Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: ISAKMP-SA established for 192.168.1.4[4500]-5.5.5.225[4500] with spi:526e36cf7be01935:8934e8ae2fdb9fad Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[608] Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: Initiating new phase 2 negotiation: 192.168.1.4[0]<=>5.5.5.225[0] Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting encryption mode to use UDP encapsulation Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] WARNING: Ignore RESPONDER-LIFETIME notification from 5.5.5.225[4500]. Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting peer's encmode 61443(61443)->Tunnel(1) Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 5.5.5.225->192.168.1.4 with spi=131754931(0x7da6bb3) Thu May 16 04:18:20 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.4->5.5.5.225 with spi=1507917835(0x59e1000b) Thu May 16 04:18:23 2013 (GMT -0800): [CO-Router] [IKE] INFO: Responding to new phase 2 negotiation: 192.168.1.4[0]<=>5.5.5.225[0] Thu May 16 04:18:23 2013 (GMT -0800): [CO-Router] [IKE] INFO: Using IPsec SA configuration: 192.168.9.0/24<->192.168.0.0/26 Thu May 16 04:18:23 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting peer's encmode 61443(61443)->Tunnel(1) Thu May 16 04:18:23 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 5.5.5.225->192.168.1.4 with spi=120862776(0x7343838) Thu May 16 04:18:23 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.4->5.5.5.225 with spi=2967981184(0xb0e7cc80) Thu May 16 04:18:25 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10381] Thu May 16 04:18:28 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Thu May 16 04:18:28 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: delete payload[] Thu May 16 04:18:28 2013 (GMT -0800): [CO-Router] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'. Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 192.168.1.4->4.4.4.1 with spi=2429062956(0x90c88f2c) Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: Configuration found for 4.4.4.1. Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.4[500]<=>4.4.4.1[500] Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: Beginning Aggressive mode. Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT-Traversal is Enabled Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3 Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 4 Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 8 Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: [isakmp_agg.c:261]: XXX: setting vendorid: 9 Thu May 16 04:46:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 4.4.4.1->192.168.1.4 with spi=267273663(0xfee45bf) Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: Received Vendor ID: DPD Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT-D payload does not match for 192.168.1.4[500] Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT-D payload matches for 4.4.4.1[500] Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: For 4.4.4.1[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: NAT detected: ME Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: for debugging :: changing portsThu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: port changed !! Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: ISAKMP-SA established for 192.168.1.4[4500]-4.4.4.1[4500] with spi:5ac8293133c36006:156da7568412e10f Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[608] Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: Initiating new phase 2 negotiation: 192.168.1.4[0]<=>4.4.4.1[0] Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting encryption mode to use UDP encapsulation Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] WARNING: Ignore RESPONDER-LIFETIME notification from 4.4.4.1[4500]. Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting peer's encmode 61443(61443)->Tunnel(1) Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 4.4.4.1->192.168.1.4 with spi=78533723(0x4ae545b) Thu May 16 04:46:51 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.4->4.4.4.1 with spi=3286012270(0xc3dc916e) Thu May 16 04:46:56 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Thu May 16 05:03:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'. Thu May 16 05:03:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: Purged IPsec-SA with proto_id=ESP and spi=3303632320(0xc4e96dc0). Thu May 16 05:04:47 2013 (GMT -0800): [CO-Router] [IKE] INFO: Responding to new phase 2 negotiation: 192.168.1.4[0]<=>4.4.4.1[0] Thu May 16 05:04:47 2013 (GMT -0800): [CO-Router] [IKE] INFO: Using IPsec SA configuration: 192.168.9.0/24<->192.168.0.64/26 Thu May 16 05:04:47 2013 (GMT -0800): [CO-Router] [IKE] INFO: Adjusting peer's encmode 61443(61443)->Tunnel(1) Thu May 16 05:04:47 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 4.4.4.1->192.168.1.4 with spi=142477(0x22c8d) Thu May 16 05:04:47 2013 (GMT -0800): [CO-Router] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.4->4.4.4.1 with spi=2721682347(0xa23993ab) Thu May 16 05:04:47 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Thu May 16 05:04:50 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Thu May 16 05:05:11 2013 (GMT -0800): [CO-Router] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Does anyone see anything in there that might explain my issue?
... View more
Labels:
Created by
CAOliveTech
in Small Business Security
in Small Business Security
11-15-2012
09:52 AM
11-15-2012
09:52 AM
Hey Stefan, We don't see any log messages like that, all we see on the RV042 are successful DPD messages and successful negotiations. On the Watchguards, we see the same success messages as well as ping traffic outbound to the RV042, but nothing incoming. Last night, one of the tunnels began working again (randomly). I'm not sure how long it will stick around, I started an infinite ping just to make sure there is some traffic going over the link to try and keep it up (although DPD should help with that anyways). Thanks for the response!
... View more
Created by
CAOliveTech
in Small Business Security
in Small Business Security
11-14-2012
10:19 AM
11-14-2012
10:19 AM
Hello, I have two site to site VPN tunnels between a RV042 (which is behind another router, so NAT'd) and two different Watchguard XTM510s (public internet facing). This connection was working up until a month ago, when for some reason it crashed and now it will not come back up completly For both tunnels, traffic only seems to be flowing one way. It appears as though the devices complete both phase 1 and phase 2 negotiations, the tunnels come up almost instantly, they just don't transfer traffic. Phase 1 settings on all: Agressive mode IKE Encryption: AES128 Authentication: SHA1 DH Group 1 Lifetime: 28800s (RV042) / 8 hours (XTMs) Phase 2 settings NO PFS Encryption: AES128 Auth: SHA1 DH Group 1 Lifetime: 28800s / 8 hours, no traffic expiration I have NAT traversal and DPD turned on. Both sides show the tunnel as active, the correct routes show up in the routing tables, but I can't ping across it and the data counters on the Watchguard devices show traffic going one way only. The logs on all devices show the DPD packets being sent and recieved, so I know that the devices can talk, it's just that last little bit that isn't working. I've tried completely recreating the tunnels, power cycling everything, different encryption schemes, different keys, and different options, but I can not get these tunnels to work. If I could just get one tunnel to work I can route traffic where it needs to go (there is a tunnel between the Watchguards that is functioning perfectly). Does anyone have any ideas?
... View more
Labels:
05-21-2013
Hey Jeffrey,PFS is already disabled.The RV180 is NAT'd behind another
router with a dynamic IP, for ...
05-16-2013
I have a RV180 v1 set up in a remote site doing gateway to gateway IPSEC
tunnels to two Watchguard X...
Created by
CAOliveTech
in Small Business Security
11-15-2012
11-15-2012
Hey Stefan,We don't see any log messages like that, all we see on the
RV042 are successful DPD messa...
Created by
CAOliveTech
in Small Business Security
11-14-2012
11-14-2012
Hello,I have two site to site VPN tunnels between a RV042 (which is
behind another router, so NAT'd)...
Public Statistics
| Date Registered | 11-13-2012 10:10 AM |
| Date Last Visited | 08-18-2017 04:00 AM |
| Total Messages Posted | 5 |
