|
|
Question : Gateway to Gateway VPN tunnel problems
|
|
|
|
All, I'm trying to setup a VPN tunnel and no matter what I do I can't seem to get it to connect. I purchased 2 cisco 120W VPN Firewalls. I'm using the identical default config on both routers so all encryption, authentication etc are the exact same, I've tried connecting from WAN IP to WAN IP, IP to fqdn, and fqdn to fqdn and still can not get IPSec connection to establish. I've tried both aggressive and main mode on both as well. I always get the following message:
Initiating new phase 1 negotiation: x.x.44.149[500]<=>x.x.44.148[500] 2010-06-28 04:02:46: INFO: Beginning Aggressive mode. 2010-06-28 04:02:46: INFO: NAT-Traversal is Enabled 2010-06-28 04:02:46: INFO: [agg_i1send:254]: XXX: NUMNATTVENDORIDS: 3 2010-06-28 04:02:46: INFO: [agg_i1send:258]: XXX: setting vendorid: 4 2010-06-28 04:02:46: INFO: [agg_i1send:258]: XXX: setting vendorid: 8 2010-06-28 04:02:46: INFO: [agg_i1send:258]: XXX: setting vendorid: 9 2010-06-28 04:03:17: ERROR: Invalid SA protocol type: 0 2010-06-28 04:03:17: ERROR: Phase 2 negotiation failed due to time up waiting for phase1. 2010-06-28 04:03:46: ERROR: Phase 1 negotiation failed due to time up for x.x.44.148[500]. b66f955da527f135:0000000000000000 2010-06-28 04:05:26: WARNING: no phase2 found for "djsc"
I'm guessing it may have something it may with the fact that I'm using the same ISP which has issued me a block of 5 IPs all apart of the same subnet, using the same gateway and dns servers....??? Would that be a problem? Neither router is recognizing that another router is attempting to connect....
Here is the info: Site A: WAN IP: x.x.44.148 Sub 255.255.255.248 DG: x.x.44.150
Site B: Wan IP: x.x.44.149 Sub 255.255.255.248 DG: x.x.44.150
Here is the IKE Policy View General Policy Name: djsc Direction / Type Both Exchange Mode: Main Enable XAUTH Client: None Local Identification Identifier Type: Local Wan IP Local Wan IP: x.x.44.149 Peer IKE Identification Identifier Type: Remote Wan IP Local Wan IP: x,x.44.148 IKE SA Parameters Encryption Algorithm: 3DES Authentication Algorithm: SHA-1 Authentication Method: Pre-shared key Pre-Shared Key: xxxxx Diffie-Hellman (DH) Group: 2 SA-Lifetime: 28800 Seconds
Any help would be sincerely appreciated, i have a company flying in, to install some hardware and I really need this tunnel. Thanks in advance for any help.
|
|
|
|
Answer : Gateway to Gateway VPN tunnel problems
|
|
Are they running the latest firmware? I found a recent posting at Cisco forums relating to 520W's having the same error and a new firmware supposedly fixed many VPN problems. Also, have you tried rebooting/clearing the SA's? The settings you have look pretty basic and should work fine, I don't see anything out of the ordinary.
I also found a suggestion relating to a Cisco -> Netgear setup where they used a dynamic DNS name and that solved the problem oddly enough.
|
|
|
|