VPN assistance

[Goodassistant]

Ok, last try before i just setup a vpn point at each site with hardware.

We are running ip office 500 with 4.2, the phone i am useing is a 5410 SW IP phone with vpn software loaded.

Vpn router RVS4000
Below are two images of the setup pages on the router itself.

http://www.mediafire.com/?22zimngxijy

http://www.mediafire.com/?ny5zmlhqylz

The phone setup
Cisco Xauth with PSK
Server : External Ip on VPN router
User Name : Cisco123
Password: *******
Group Name : VPNPHONE
GroupPSK : *******
VPN Start Mode = BOOT
Password Type = Save in Flash
Encapsulation 4500-4500
Syslog Server - None
IKE Parameters DH1-3DES-MD5
IPSec Parameters DH2-3DES-SHA1
Protected Nets - Remote Net #1 192.168.50.0/24
Copy TOS - No
File Srvr : 192.168.1.4
QTest Disable


Log from VPN router when i try and connect with VPN phone.
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [RFC 3947] method set to=109
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: ignoring unknown Vendor ID payload [4485152d18b6bbcc0be8a8469579ddcc]
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [XAUTH]
Jun 22 12:34:40 - [VPN Log]: packet from MY IP ADDRESS:2070: initial Aggressive Mode message from MY IP ADDRESS but no (wildcard) connection has been configured

Looking for anyone that may be able to help me on this.

Thank you

 

[hbsurfn]

Try setting you IKE ID type to key-id, then your IKE parameters to Detect, any, any. IKE config mode to enabled, XAuth enabled. Set IP Sec to Any, Any, Detect. And change your protected nets remote net #1 to 0.0.0.0/24.

ACA
ACS
CompTIA Convergence+
CCNA
CCVP

 

[hbsurfn]

Protected nets remote net #1 to 0.0.0.0/0.

ACA
ACS
CompTIA Convergence+
CCNA
CCVP

 

[Goodassistant]

Thank you Kindly for your suggestion. I have made all the changes you suggested above, and the log on the vpn router reads.

Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [RFC 3947] method set to=109
Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: ignoring unknown Vendor ID payload [4485152d18b6bbcc0be8a8469579ddcc]
Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: received Vendor ID payload [XAUTH]
Jun 23 09:42:29 - [VPN Log]: packet from MY IP ADDRESS:2070: initial Aggressive Mode message from MY IP ADDRESS but no (wildcard) connection has been configured

On the phone itself, it reads IKE Phase1 no response

Thanks,

 

[Bas1234]

try;

The phone setup
Cisco Xauth with PSK
Server : External Ip on VPN router
User Name : Cisco123
Password: *******
Group Name : VPNPHONE
GroupPSK : *******
VPN Start Mode = BOOT <------- Script
Password Type = Save in Flash
Encapsulation 4500-4500
Syslog Server - None
IKE Parameters DH1-3DES-MD5 <---- Try Auto
IPSec Parameters DH2-3DES-SHA1 <---- Try Auto
Protected Nets - Remote Net #1 xx <----#1 0.0.0.0/24
Copy TOS - No
File Srvr : 192.168.1.4
QTest Disable

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged
___________________________________________

 

[Bas1234]

<----#1 0.0.0.0/24 needs to be <----#1 0.0.0.0/0

___________________________________________
It works! Now if only I could remember what I did...

Dain Bramaged
___________________________________________

 

[Goodassistant]

Just seems like the RVS4000 is not going to be able to handle the Avaya VPN phone for some reason. I have tried all your suggestions, and have gone over everything 3 times. But i just keep running into the message [VPN Log]: packet from MY IP ADDRESS:2070: initial Aggressive Mode message from MY IP ADDRESS but no (wildcard) connection has been configured.

If there was more of a specific error, i would be able to troubleshoot this a little better. But a wildcard can be anything really.

Thanks

 

[Goodassistant]

Update: Not to confuse things, but if i put the vpn router connection in aggresive mode, i no longer get the previous message no wildcard. The message changes to [VPN Log]: "VPNPHONE"[2] MY IP ADDRESS #1: policy does not allow Extended Authentication (XAUTH) of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD

Seems like this error is indicating a setting being missed on the vpn phone itself.

Thanks

 

[Goodassistant]

According to Cisco, the RVS4000 Does not support XAUTH. So if anyone ever ask in the future, we now know.

Thanks for your help

I have decided to just put a RVS4000 on each site and vpn that route.