Scribd
Upload
15 views

Router_Cisco_ConfigGuide

This configuration guide details how to set up TheGreenBow IPsec VPN Client with a Cisco RV345 VPN router for secure remote access to a corporate network. It includes sections on configuration steps, troubleshooting common errors, and tools for diagnosing issues. The document also provides links to additional resources and product information for the Cisco RV345 router.

Uploaded by

shulist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

Router_Cisco_ConfigGuide

This configuration guide details how to set up TheGreenBow IPsec VPN Client with a Cisco RV345 VPN router for secure remote access to a corporate network. It includes sections on configuration steps, troubleshooting common errors, and tools for diagnosing issues. The document also provides links to additional resources and product information for the Cisco RV345 router.

Uploaded by

shulist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

TheGreenBow IPsec VPN Client

Configuration Guide
Cisco RV345

Website: www.thegreenbow.com
Contact: support@thegreenbow.com

Property of TheGreenBow – Sistech S.A. © 2020


Configuration Guide

Table of Contents

1 Introduction ............................................................................................................................................ 3
1.1 Goal of this document.................................................................................................................... 3
1.2 VPN Network topology .................................................................................................................. 3
1.3 Cisco RV345 Restrictions ................................................................................................................ 3
1.4 Cisco RV345 VPN Gateway ............................................................................................................. 3
1.5 Cisco RV345 VPN Gateway product info ........................................................................................ 3
2 Cisco RV345 VPN configuration .............................................................................................................. 4
3 TheGreenBow IPsec VPN Client configuration ....................................................................................... 8
3.1 VPN Client Phase 1 (IKE) Configuration ......................................................................................... 8
3.2 VPN Client Phase 2 (IPsec) Configuration .................................................................................... 10
3.3 Open IPsec VPN tunnels ............................................................................................................... 11
4 Tools in case of trouble......................................................................................................................... 12
4.1 A good network analyser: Wireshark........................................................................................... 12
5 VPN IPsec Troubleshooting................................................................................................................... 13
5.1 “PAYLOAD MALFORMED” error (wrong Phase 1 [SA]) ................................................................ 13
5.2 “INVALID COOKIE” error .............................................................................................................. 13
5.3 “no keystate” error ...................................................................................................................... 13
5.4 “received remote ID other than expected” error ........................................................................ 13
5.5 “NO PROPOSAL CHOSEN” error ................................................................................................... 14
5.6 “INVALID ID INFORMATION” error .............................................................................................. 14
5.7 I clicked on “Open tunnel”, but nothing happens. ...................................................................... 14
5.8 The VPN tunnel is up but I can’t ping ! ........................................................................................ 15
6 Contacts ................................................................................................................................................ 16

2
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

1 Introduction
1.1 Goal of this document
This configuration guide describes how to configure TheGreenBow IPsec VPN Client software with a cisco
RV345 VPN router to establish VPN connections for remote access to corporate network.

1.2 VPN Network topology


In our VPN network example (diagram hereafter), we will connect TheGreenBow IPsec VPN Client software to
the LAN behind the cisco RV345 router. The VPN client is connected to the Internet with a DSL connection or
through a LAN. All the addresses in this document are given for example purpose.

IPsec VPN Client


as seen on LAN

mygateway.dyndns.org
192.168.28.1

192.168.1.1

192.168.1.78
Internet
IPsec VPN Client
(Remote) Cisco RV345

192.168.1.3

1.3 Cisco RV345 Restrictions


No known restrictions.

1.4 Cisco RV345 VPN Gateway


Our tests and VPN configuration have been conducted with cisco RV345 firmware 1.0.03.17.

1.5 Cisco RV345 VPN Gateway product info


It is critical that users find all necessary information about cisco RV345 VPN Gateway. All product info, User
Guide and knowledge base for the cisco RV345 VPN Gateway can be found on the cisco website: cisco RV345.

cisco RV345 Product page https://www.cisco.com/c/en/us/products/routers/rv345-


dual-gigabit-wan-vpn-router/index.html
cisco RV345 User Guide https://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/R
V340/Administration/EN/b_RV340x_AG.pdf
cisco RV345 FAQ/Knowledge Base https://www.cisco.com/c/en/us/support/routers/rv345-dual-
gigabit-wan-vpn-router/model.html

3
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

2 Cisco RV345 VPN configuration


This section describes how to build an IPsec VPN configuration with your cisco RV345 VPN router.
Once connected to your cisco RV345 VPN gateway, you must select “VPN > VPN Passthrough” menu.
✓ Uncheck “IPSec Passthrough”

4
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

5
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

6
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

7
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

3 TheGreenBow IPsec VPN Client configuration


This section describes the required configuration to connect to a cisco RV345 VPN router via VPN connections.
To download the latest release of TheGreenBow IPsec VPN Client software, please go to
www.thegreenbow.com/vpn_products.html

3.1 VPN Client Phase 1 (IKE) Configuration

The remote VPN


Gateway IP address is
either an explicit IP
address or a DNS Name

123456789

Phase 1 configuration

You may use either Preshared key, Certificates, USB Tokens for User Authentication with the cisco RV345
router. This configuration is one example of what can be accomplished in term of User Authentication. You
may want to refer to either the cisco RV345 router user guide or TheGreenBow IPsec VPN Client software
User Guide for more details on User Authentication options.

8
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

Phase 1 Advanced configuration

✓ Set Local ID
✓ Enable “Mode Config”

9
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

3.2 VPN Client Phase 2 (IPsec) Configuration

VPN Client Virtual IP


address

Enter the IP address


(and subnet mask)
of the remote LAN.

Phase 2 Configuration

10
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

3.3 Open IPsec VPN tunnels


Once both cisco RV345 router and TheGreenBow IPsec VPN Client software have been configured accordingly,
you are ready to open VPN tunnels. First make sure you enable your firewall with IPsec traffic.
1/ Click on "Save & Apply" to take into account all modifications we've made on your VPN Client
configuration.
2/ Click on "Open Tunnel", or generate traffic that will automatically open a secure IPsec VPN Tunnel (e.g.
ping, IE browser).
3/ Select "Connections" to see opened VPN Tunnels.
4/ Select "Console" if you want to access to the IPsec VPN logs and adjust filters to display less IPsec
messaging. The following example shows a successful connection between TheGreenBow IPsec VPN
Client and a cisco RV345 VPN router.

11
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

4 Tools in case of trouble


Configuring an IPsec VPN tunnel can be a hard task. One missing parameter can prevent a VPN connection
from being established. Some tools are available to find source of troubles during a VPN establishment.

4.1 A good network analyser: Wireshark

Wireshark is a free software that can be used for packet and traffic analysis. It shows IP or TCP packets
received on a network card. This tool is available on website www.wireshark.org. It can be used to follow
protocol exchange between two devices. For installation and use details, read its specific documentation
(www.wireshark.org/docs/).

12
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

5 VPN IPsec Troubleshooting


5.1 “PAYLOAD MALFORMED” error (wrong Phase 1 [SA])
114920 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]
114920 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [NOTIFY]
114920 Default exchange_run: exchange_validate failed
114920 Default dropped message from 195.100.205.114 port 500 due to notification type
PAYLOAD_MALFORMED
114920 Default SEND Informational [NOTIFY] with PAYLOAD_MALFORMED error

If you have an “PAYLOAD MALFORMED” error you might have a wrong Phase 1 [SA], check if the encryption
algorithms are the same on each side of the VPN tunnel.

5.2 “INVALID COOKIE” error


115933 Default message_recv: invalid cookie(s) 5918ca0c2634288f 7364e3e486e49105
115933 Default dropped message from 195.100.205.114 port 500 due to notification type
INVALID_COOKIE
115933 Default SEND Informational [NOTIFY] with INVALID_COOKIE error

If you have an “INVALID COOKIE” error, it means that one of the endpoint is using a SA that is no more in use.
Reset the VPN connection on each side.

5.3 “no keystate” error


115315 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]
115317 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]
115317 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]
115319 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]
115319 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]
115319 Default IPsec_get_keystate: no keystate in ISAKMP SA 00B57C50

Check if the preshared key is correct or if the local ID is correct (see “Advanced” button). You should have
more information in the remote endpoint logs.

5.4 “received remote ID other than expected” error


120348 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]
120349 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]
120349 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]
120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]
120351 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]
120351 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]
120351 Default ike_phase_1_recv_ID: received remote ID other than expected
support@thegreenbow.fr

The “Remote ID” value (see “Advanced” Button) does not match what the remote endpoint is expected.

13
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

5.5 “NO PROPOSAL CHOSEN” error


115911 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]
115913 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]
115913 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]
115915 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]
115915 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]
115915 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]
115915 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72:
195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114
115915 Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE]
115915 Default RECV Informational [HASH][NOTIFY] with NO_PROPOSAL_CHOSEN error
115915 Default RECV Informational [HASH][DEL]
115915 Default CNXVPN1-P1 deleted

If you have an “NO PROPOSAL CHOSEN” error, check that the “Phase 2” encryption algorithms are the same
on each side of the VPN Tunnel.

Check “Phase 1” algorithms if you have this:

115911 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]


115911 Default RECV Informational [NOTIFY] with NO_PROPOSAL_CHOSEN error

5.6 “INVALID ID INFORMATION” error


122623 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [SA][VID]
122625 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [SA][VID]
122625 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [KEY][NONCE]
122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [KEY][NONCE]
122626 Default (SA CNXVPN1-P1) SEND phase 1 Main Mode [ID][HASH][NOTIFY]
122626 Default (SA CNXVPN1-P1) RECV phase 1 Main Mode [ID][HASH][NOTIFY]
122626 Default phase 1 done: initiator id c364cd70: 195.100.205.112, responder id c364cd72:
195.100.205.114, src: 195.100.205.112 dst: 195.100.205.114
122626 Default (SA CNXVPN1-CNXVPN1-P2) SEND phase 2 Quick Mode [SA][KEY][ID][HASH][NONCE]
122626 Default RECV Informational [HASH][NOTIFY] with INVALID_ID_INFORMATION error
122626 Default RECV Informational [HASH][DEL]
122626 Default CNXVPN1-P1 deleted

If you have an “INVALID ID INFORMATION” error, check if “Phase 2" ID (local address and network address) is
correct and match what is expected by the remote endpoint.

Check also ID type (“Subnet address” and “Single address”). If network mask is not check, you are using a
IPV4_ADDR type (and not a IPV4_SUBNET type).

5.7 I clicked on “Open tunnel”, but nothing happens.


Read logs of each VPN tunnel endpoint. IKE requests can be dropped by firewalls. An IPsec Client uses UDP
port 500 and protocol ESP (protocol 50).

14
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

5.8 The VPN tunnel is up but I can’t ping !


If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines:
▪ Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client IP address
should not belong to the remote LAN subnet
▪ Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall.
Check that every device between the client and the VPN server does accept ESP
▪ Check your VPN server logs. Packets can be dropped by one of its firewall rules.
▪ Check your ISP support ESP
▪ If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface
(with Wireshark for example). You will have an indication that encryption works.
▪ Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but
does not answer because there is a no “Default gateway” setting.
▪ You cannot access to the computers in the LAN by their name. You must specify their IP address inside the
LAN.
▪ We recommend you to install Wireshark (www.wireshark.org) on one of your target computer. You can
check that your pings arrive inside the LAN.

15
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Configuration Guide

6 Contacts
News and updates on TheGreenBow web site: www.thegreenbow.com

Technical support by email at: support@thegreenbow.com

Sales contacts by email at: sales@thegreenbow.com

16
IPsec VPN Router Configuration Property of TheGreenBow – Sistech S.A. © 2020
Secure, Strong, Simple
TheGreenBow Security Software

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy