RV082 Gateway-Gateway VPN Won't Connect
I have a site to site VPN beween two rv082's also. Checking my settings they show on both sides:
Local Security Gateway Type: IP Only
IP Address: external address
Local Security Group Type: Subnet
IP Address 192.168.188.0
Subnet Mask: 255.255.255.0
Remote Security Gateway Type: IP Only
IP Address: external address
Remote Security Group Type: Subnet
IP Address 192.168.166.0
Subnet Mask: 255.255.255.0
Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600
Aggressive Mode: Disabled
Dead Peer Detection (DPD): Enabled
The only difference I see is agressive mode, but you tried that. Obviously you have a matching preshared key. Interface is WAN1 on both. So you don't have anything glaring - but maybe disable aggressive mode. I also remember having to delete and recreate them a few times to get it connected. Have you tried that?
Joel
A software developer for OwnerRez, and owner of Ithi Enterprises; I enjoy building web applications that make ordinary people's lives more productive.
Updated on September 18, 2022Comments
-
Joel over 1 year
I have two RV082's (firmware 2.0.0.7) both with public static IPs. I'm attempting to setup a gateway-gateway vpn between them.
My configuration:
Router A:
Local Security Gateway Type: IP Only
IP Address: 12...*
Local Security Group Type: Subnet
IP Address 192.168.3.0
Subnet Mask: 255.255.255.0Remote Security Gateway Type: IP Only
IP Address: 70...*
Remote Security Group Type: Subnet
IP Address 192.168.1.0
Subnet Mask: 255.255.255.0Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600Aggressive Mode: Enabled
Dead Peer Detection (DPD): EnabledRouter B:
Local Security Gateway Type: IP Only
IP Address: 70...*
Local Security Group Type: Subnet
IP Address 192.168.1.0
Subnet Mask: 255.255.255.0Remote Security Gateway Type: IP Only
IP Address: 12...*
Remote Security Group Type: Subnet
IP Address 192.168.3.0
Subnet Mask: 255.255.255.0Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600Aggressive Mode: Enabled
Dead Peer Detection (DPD): Enabled
When I try to connect the tunnel, the log shows:
..[Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
..initiating Aggressive Mode #1814, connection "ips0"
..STATE_AGGR_I1: initiate
..Received Vendor ID payload Type = [Dead Peer Detection]
..[Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet
..Initial Aggressive Mode message from 12...* but no (wildcard) connection has been configuredWhen I disable aggressive mode I get:
..Initiating Main Mode
..[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
..Received Vendor ID payload Type = [Dead Peer Detection]
..[Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
..(NATT)Initial Main Mode message received on 70...*:500 but no connection has been authorized. Please check your tunnel endpoint (gateway) setting
..Dynamic VPN client in Main Mode is only supported for Microsoft VPN client, please use Aggressive mode instead.Any suggestions on what's wrong with my configuration? Both routers are directly connected to their respective modems.
-
Joel about 13 yearsI obfuscated that. The log message shows the full IP. Both those log messages were taken from router A (70...)
-
Joel about 13 yearsWhen I disable aggressive I get a log message saying that "Dynamic VPN client in Main Mode is only supported for Microsoft VPN client, please use Aggressive mode instead." I'll try dropping and recreating the tunnels.
-
Joel about 13 yearsHot diggity! Deleting and recreating did it. I wish I had the last 8 hours of my life back...
-
justarobert about 13 yearsNext oddity: the error message you're getting when you disable Main Mode is more consistent with a gateway type of Dynamic IP + Domain Name or Dynamic IP + E-mail Addr. than IP only. (You must use Aggressive Mode if you are using one of the dynamic IP types.) Is there any chance one of your Remote Security Gateway Types is dynamic?
-
Joel about 13 yearsI'm thinking there is some bug in the firmware that was causing one of the tunnels to display as static but act dynamic. Deleting and recreating solved it.
-
charnley about 13 yearsHa! I remember banging my head for several hours on that as well. Glad it worked!
-
justarobert about 13 yearsHeh. I was going to suggest next checking for new firmware, but if it's working, don't touch it. :) This family of routers is not the most robust.