Question

Locked

Help Needed in Setting Up Site-to-Site VPN

By charles ·
Greetings,

I'm trying to set up site-to-site VPN to the following set up:

LAN - ISA 2004 - WRT54G - Internet - WRV200 - LAN

+++++++++++++++++++++++++++++++
Here are ip configuration:

ISA 2004 Internal NIC: 192.168.16.3
ISA 2004 External NIC: 192.168.0.10
WRT54G LAN IP: 192.168.0.1
WRT54G WAN IP: 67.107.100.xxx

WRV200 LAN IP: 192.168.2.1
WRV200 WAN IP: 208.176.69.xx

++++++++++++++++++++++++++++++++
The ISA 2004 VPN Set Up

Local Tunnel Endpoint: 192.168.0.10
Remote Tunnel Endpoint: 208.176.69.xx

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication method: Pre-shared secret (Cool-Dude!)
Security Association lifetime: 28800 seconds

IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time rekeying: ON
Security Association lifetime: 3600 seconds
Kbyte rekeying: OFF

Remote Network 'Internal_BL' IP Subnets:
Subnet: 192.168.2.0/255.255.255.0

Local Network 'Internal' IP Subnets:
Subnet: 192.168.16.0/255.255.255.0

+++++++++++++++++++++++++++++++++++++++
WRV200 VPN - IPSec VPN

VPN Tunnel
Tunnel Entry: Tunnel A
VPN Tunnel: Enabled
Tunnel Name: to_HQ
Nat-Traversal: Disabled

Local Secure Group
Type: Subnet
IP Address: 192.168.2.0
Mask: 255.255.255.0

Remote Secure Group
Type: Subnet
IP Address: 192.168.16.0
Mask: 255.255.255.0

Remote Secure Gateway
Type: IP Addr.
IP Address: 67.107.100.xx

Key Management
Key Exchange Method: Auto(IKE)
Operation Mode: Mode (not Aggressive)
ISAKMP Encryption Method: 3DES
ISAKMP Authentication Method: SHA1
ISAKMP DH Group: Group 2: 1024-bits
ISAKMP Key Lifetime: 28800
PFS: Enabled
IPSec Encryption Method: 3DES
IPSec Authentication Method: SHA1
IPSec DH Group: The group is the same as ISAKMP
IPSec Key Lifetime: 3600
Pre-Shared Key: Cool-Dude!

Tunnel Options
Dead Peer Detectio: Checked
Detection Delay: 30
Detection Timeout: 120
DPD Action: Recover Connection
Anti-replay: Checked
++++++++++++++++++++++++++++++++++++++++++

When I check VPN log via WRV200:

056 [Fri 09:03:01] added connection description "TunnelA"
057 [Fri 09:03:01] "TunnelA" #60: initiating Main Mode
058 [Fri 09:03:01] "TunnelA" #60: [WRV210 Response:] ISAKMP SA (Main Mode) Initiation
059 [Fri 09:04:11] "TunnelA" #60: [WRV210 Response:] Remote peer has no tunnel entry to correspond to this tunnel.
060 [Fri 09:04:11] "TunnelA" #60: [WRV210 Response:] Please check your Remote Secure Gateway setting.
061 [Fri 09:04:11] "TunnelA" #60: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
062 [Fri 09:04:11] "TunnelA" #60: starting keying attempt 2 of at most 3, but releasing whack
063 [Fri 09:04:11] "TunnelA" #61: initiating Main Mode to replace #60


What am I doing wrong...

Many thanks in advance!

-Charles

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Check the wrt54g and see if its passing the traffic

by Dumphrey In reply to Help Needed in Setting Up ...

to the isa since that is your endpoint. Looks to me like its all set up correct (could and probably am wrong, since all my vpn experience is with cisco), which would mean a firewall issue.

Collapse -

WRT54G IS a firewall.

by 1bn0 In reply to Check the wrt54g and see ...

The WRV200 is trying to establish a connection with the WRT54G.

Since the WRT54G is NOT configure to accept a VPN connection I would not expect it to.

You would have to configure the WRT54G to pass through or configure the WRT54G as the other VPN endpoint.

You may be able to upgrade the WRT54G to perform as a VPN endpoint.

Collapse -

I found this which MAY help

by Dumphrey In reply to WRT54G IS a firewall.

on setting the 54g to pass VPN..

http://www.dslreports.com/faq/12976

Though not site to site specific, it should be enough to get the traffic passed to the isa.

Back to Networks Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums