Re: Internal VPN with a Linksys VPN router

jdleon · ‎02-13-2011

I have this new department in my network that needs to create a site-to-site vpn tunnel to a remote site. I had offered for them the use of my Cisco VPN concentrator by they want to manage their VPN. They are using a Linksys VPN router (RV016) but the tunnel does not connect - they are using IPSec for the tunnel. I have an ASA firewall and have created a access-list to allow the IPSec tunnel to pass thru, and I also natted a public IP to the internal address of the Linksys VPN router, so the VPN router at the remote site can communicate to it. I used the packet capture wizard on the ASA to to see traffic and this is what I get on the inside only:

1: 07:08:53.337674 10.100.170.55.500 > 71.42.77.66.500: udp 100 (can someone elaborate on this statement a little more)

10.100.170.55 is the internal IP of the Linksys VPN rotuer and it trying to connect to 71.42.77.66, which is the VPN router at the remote site.

I appreciate any help.

Jennifer Halim · ‎02-13-2011

1: 07:08:53.337674 c.500 > 71.42.77.66.500: udp 100

That statement basically means that on the interface where you are doing the capture on, it sees UDP/500 packet from 10.100.170.55 towards 71.42.77.66.

The question is, it is arriving at the firewall, but is it leaving the firewall? If it is leaving the firewall, are you only seeing 1 of those packets? because UDP/500 consists of 6 exchanges (6 messages between the vpn peer).

Where is the VPN failing? can you run debugs on the vpn end point?

Are you thinking that the firewall in between might be blocking the VPN connection?

Does the UDP/500 packet actually reach the other end of the tunnel?

jdleon · ‎02-13-2011

The question is, it is arriving at the firewall, but is it leaving the firewall? If it is leaving the firewall, are you only seeing 1 of those packets? because UDP/500 consists of 6 exchanges (6 messages between the vpn peer).

This capture - 1: 07:08:53.337674 c.500 > 71.42.77.66.500: udp 100, I got if from the ASA using the packet capture wizard, in which I specified to capture from the inside interface to the outside interface. There were 6 of these packets.

Where is the VPN failing? can you run debugs on the vpn end point?

I would have to ask the tech that manages it.

Are you thinking that the firewall in between might be blocking the VPN connection?

I have UDP/500 open for that vpn to go out and coming back in, but I never saw the traffic from the other end coming back. If it is failing, I'm thinking it might be because of the Linksys VPN router. About a year ago, I had a situation where a user need to VPN to a remote site using a Linksys VPN IPSec client and he was not able to. An in the network you can VPN out. So I went to his workstation, ran wireshark, and started this vpn client - it was using one port (60443) different than what IPSec uses. I opened that port but he still could not vpn out. I submitted a question about it on the Cisco support forums, and it turned out that the ASA will not support that client. So I had him use the micrsoft client and end of problem. So I am wondering if it is the same with the Linksys vpn router.

Does the UDP/500 packet actually reach the other end of the tunnel?

I did a capture for both traffic coming out and into the ASA, I never saw and traffic coming back from the other end of the tunnel.

Jennifer Halim · ‎02-13-2011

Well, in this case, you mention that it's LAN-to-LAN IPSec VPN tunnel, not IPSec VPN Client, right?

If it's LAN-to-LAN IPSec VPN, then it shouldn't be a problem at all as that supports VPN connection between third party vendors/ different models of routers/firewalls.

If you are seeing that the UDP/500 actually leaving your ASA towards the remote end, and there is no reply, then it's likely to be problem on the remote end. Maybe there is another firewall at the remote end that blocks the VPN connection.