Hi ,

bartjsamp · ‎01-08-2017

Hi, I'm trying to configure a RV325 IPsec group tunnel so several students can remotely access some lab machines on the internal vlan. Unfortunately it I can't establish the tunnel. I'm currently using the TheGreenBow VPN client for testing/debugging right now but ultimately I want to get the built in Windows and Mac OS X IPsec clients working.

When I configure TheGreenBow VPN client to connect via IKEv1 I get no response from the RV325 at all. It's not getting pas the first step in Phase 1. All Wireshark traces show the VPN packet going out to port 500 but no reply.

When I configure TheGreenBow VPN client to connect via IKEv2 I DO get a response from the RV325 but it's the error NO_PROPOSAL_CHOSEN according to the VPN client logs and the Wireshark traces. I have done some research which has suggested that the algorithms in Phase 1 on the RV325 and VPN client should be mismatched. I've checked multiple times and they match. I've even tried changing them around a bit to differing but matching algorithms without success.

Any ideas? I've attached a screen shot from the RV325. Thank you for your help.

PS. I don't care if it's IKEv1 or IKEv2 being used, I just need it to eventually work with the default Windows and Mac OS X clients. The RV325 has a public address and is not behind a NAT. I can PPTP VPN to the RV325 successfully and UDP port 500 is open.

MANI .P · ‎01-08-2017

Hi ,

What is the VPN client you are trying ?

look like the Phase 1 & Phase 2 Ok .

thanks,
mani

bartjsamp · ‎01-08-2017

I am using TheGreenBow VPN client ( https://www.thegreenbow.com/ ) for testing now. However I do want to eventually use the BUILT IN Mac OS X and Windows 7 (and higher) VPN clients. Once I get the easier to configure and debug TheGreenBow VPN client working I'll switch over Mac OS X and Windows ones (unless you think this is a bad idea). I can use another VPN client for testing if you think that is better (Shrewsoft, etc...)

The connection never gets to Phase 2. I believe it's doing the IKE algorithm negotiation (Encryption:AES-128, Integrity:SHA1, Diffie-Hellman:DH2 (2014)) during Phase 1 but fails like I described previously. (No response for IKEv1 and NO_PROPOSAL_CHOSEN for IKEv2).

MANI .P · ‎01-09-2017

Hi ,

Recommend you to check this steps as you configured . I think you may need to check the VPN client side ..

https://supportforums.cisco.com/video/12300166/rv320-and-rv325-ipsec-vpn-client-configuration

If this helps you please rate !

Thanks ,

Mani.

bartjsamp · ‎01-09-2017

Hi Mani, I looked at the video and followed the instructions exactly but unfortunately the TheGreenBow client still cannot connect to the RV325. The symptoms are the same. I tried using the built in Windows VPN and OS X clients and they failed too.

The only thing I changed on the RV325 was that I set "Remote Client:" value to "Microsoft XP/2000 VPN Client"

From the video it appears TheGreenBow client is using the IKEv1 configuration screens. Also the newer version of the TheGreenBow client (I have) has Wizard choices for IKEv1 and IKEv2 connections. I tried it both ways and it failed like I mentioned before (IKEv1 - no response as shown by Wireshark, IKEv2 - NO_PROPOSAL_CHOSEN failure as shown by Wireshark)

Again I'm happy to skip using TheGreenBow client all together if I can just get the Windows and OS X VPN clients working.

UPDATE: I rebooted the RV325 and it appears the IKEv1 negotiation using TheGreenBow client gets past the NO_PROPOSAL_CHOSEN problem. The RV325 appears and the VPN client appear to have negotiated a common set of encryption protocols. It's failing for another reason now. Debugging the new issue, however it appears that whenever changing the Remote Client type on the RV325 it requires a reboot. I'm guessing it has to reinitialize something to start providing IKEv1 responses. I'll post more in a bit.

RV325 Gigabit Dual WAN VPN Router - IPsec - IKE - NO_PROPOSAL_CHOSEN