DMVPN behind NAT is registering private IP

Similar Messages

• DMVPN behind NAT

  Hi,
  I'm having a little trouble getting a DMVPN up using a host that is behind a NAT device. It looks as though with my version of IOS i need to use IPSec tunnel mode, but the NHRP registeration on the hub shows the Real address of the spoke and not the NAT'd address. Because of this the spoke can't be seen by any others.
  Any idea's where i may be going wrong here?
  Thanks in advance for your help!
  Andy

  DMVPN is supported behind NAT. This is usually seen on routers. Upgrade the router software to12.3(11)T6 or greater to fix this issue.

• DMVPN Hub and Spoke behind NAT device

  Hi All,
  I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
  But My case i involve in both situation.
  1) HUB have a Load Balancer (2 WAN Link) ISP A & B
  2) Spoke have Load Balancer (2 WAN Link) ISP A & B
  Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
  So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
  As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
  HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
  The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
  Any problem will face with this setup? Any guide?
  Sample config at HUB.
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.1 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map multicast dynamic
  ip nhrp network-id 2
  ip nhrp holdtime 600
  delay 1000
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile cisco
  Spoke Config
  interface Tunnel0
  bandwidth 1000
  ip address 172.16.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.16.1.1 199.1.1.1
  ip nhrp network-id 1
  ip nhrp holdtime 300
  ip nhrp nhs 172.16.1.1
  delay 1000
  tunnel source FastEthernet0/0
  tunnel destination 199.1.1.1
  tunnel key 0
  tunnel protection ipsec profile cisco
  interface Tunnel1
  bandwidth 1000
  ip address 172.17.1.2 255.255.255.0
  ip mtu 1440
  ip nhrp authentication cisco123
  ip nhrp map 172.17.1.1 200.1.1.1
  ip nhrp network-id 2
  ip nhrp holdtime 300
  ip nhrp nhs 172.17.1.1
  delay 1500
  tunnel source FastEthernet0/0
  tunnel destination 200.1.1.1
  tunnel key 1
  tunnel protection ipsec profile cisco

  Hi Marcin,
  thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
  About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
  .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
  Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

• Client behind NAT

  I have been searching for a solution for this issue with all that google knows......
  I have my client behind NAT with ip 192.168.27.1
  And the server behind NAT with some ip (i am not really worried abt this)
  Now I register a client object to server for notification. SImply a hash table in server stores all my client objects. On a expected change, I invoke a method in my client objects.
  In this scenario I happened to observer that the client objects sent to server had the client ip (192.168.27.1) inside it and not the NAT ip through which they went out.
  So when I went invoke the remote method nothing interestingly happens as the client cannot be located.
  I tried creating custom sockets in client and binding it to NAT ip --> obvious bind exception for a ip that is not with client
  Setting the NAT ip as java.rmi.hostname in client --> no effect, since still the server is trying to notify (192.16827.1)
  Help me to root out this issue. I feel that there must be a solution for this, otherwise RMI it would not have been this much successful.

  Hi turing,
  thanks for your reply
  actually my question is
  "maybe if you try using the "real" ip (www,whatismyip.com)
  your program will work. "
  how to do this in the scenario I explained.
  Most of the discussions I saw in this forum are about server behind NAT and resolution approach for it. I can't find an answer for this even in the post you mentioned.
  Simply,
  When I register a client object in server, how will the server identify the client to notify, when the client is behind NAT.
  Will the ip address that the remote object carries will also be NAT'ed. I don't see this happening.

• MapVewer Behind NAT

  Hi,
  I'm using MapViewer and I integrated it with my ADF application. I've generally no problem. I deployed both of them on weblogic server, and they work great. But when I want to have access to my app server (weblogic) from another place behind NAT, MapViewer doesn't work any longer!
  My application page (ADF/JSP) works, but the map object (dvt:map) on my page, doesn't render! I think it causes by IP difference. Everything is the same, but just the IP changes behind the NAT.
  Because of network back bone, we forced to have another Server IP in client side for Weblogic Server, instead of real Server IP. (e.g. real server IP is 172.18.10.1 but the client machine behind the NAT can see the server by 172.16.2.3)
  I want to emphasize that all pages and all other features in my web applications works, and I can see and have access to MapViewer Server from client (behind the NAT) too. But my Map object (dvt:map) on my pages, doesn't render and just show a blank area without any error!
  I know, I don't have any problem in accessing to MapViewer server, because I have access to my MapViewer server control panel from client side (behind the NAT) and MapViewer is installed on Weblogic which my Application is installed on. So, my question is if I can work with my application behind the NAT, why I can't see my map on it!

  The key is that the NAT-enabled router is the one that will require port mapping/forwarding to be configured. In addition, you don't necessarily need for the Internet router to have a static IP address, but it MUST be a Public IP address. If your HOA controls this router, then most likely, they will NOT be willing to configure it to allow port mapping to your IP camera.

• OEAP602 - Support for APs behind NAT

     Support for APs behind NAT
  In the 7.2.103.0 release, you can deploy up to 3 OfficeExtend access points (OEAPs) behind a NAT device. You can deploy up to 50 FlexConnect access points (with or without Data DTLS) behind a NAT device.
              Source: http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
  I'm confused, does it mean I can't have more than 3 OEAP602s deployed in the same remote site (let say, a Hotel) with the same Public IP back to my OEAP-WLC ?

  I know on 7.0 MR1 only supports 1. I learned that the hard way doing a meeting at a hotel for our staff.
  One thing we did was hook up a switch to port 4 and did HREAP with 2 other aps.. Not ideal but I like to test limits ..
  Sent from Cisco Technical Support iPhone App

• L2TP VPN for servers behind NAT

  I have two 2012 R2 servers, both behind NAT, which I'm trying to connect via VPN. I have no problem connecting them via PPTP, but when connecting them via L2TP (with shared key for testing), the dialing server never connects to other server.
  I assume that the problem is that they're both behind NAT.  In Windows Server 2008, you were able to set a registry value to get the L2TP connections to work under NAT, see
  http://support.microsoft.com/kb/926179 by setting the environment variable AssumeUDPEncapsulationContextOnSendRule.
  I tried using this with the two servers, but it didn't seem to help.  Is there some other way to get the L2TP connection for the two 2012 R2 servers working behind NAT?

  Hi,
  Thanks for your pointer and sorry for replying so late.
  I am sorry to say that I haven’t found any documents to ensure whether NAT-T is supported in Windows server 2012 R2 or not. In addition,
  VPN servers that are located behind NAT is not recommended. When a server is behind a network address translator, and the server uses NAT-T, unintended behavior might occur because
  of the way NAT translate network traffic.
  Best regards,
  Susie

• DMVPN HUB router behind NAT

  we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
  if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"
  Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
  i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

  Here is some additional infor to help
  hub config:
  interface Tunnel0
   bandwidth 512
   ip address "hubtunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1
  crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
  crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
   mode transport
  crypto ipsec profile net1
   set transform-set "mytransformset"
  Spoke config:
  crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
  crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
   mode tunnel
  crypto ipsec nat-transparency spi-matching
  crypto ipsec profile net1
   set transform-set "mytransformset"
  interface Tunnel0
   bandwidth 512
   ip address "spoketunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast "Remote IP"
   ip nhrp map "hubtunnelIP" "Remote IP"
   ip nhrp network-id 1
   ip nhrp nhs "hubtunnelIP"
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1 shared

• Private vpn tunnel from behind NAT

  Hello all,
  Our provider suddenly refuses to give us public ip addresses. Instead we get a private one and the provider does nat.
  Problem is this site has an IPSEC tunnel towards a public ip address for connectivity to main offices, the tunnel also runs BGP as routing protocol (so dynamic).
  Is there a way to make this work ? I guess the client side needs to be forced into setting up the tunnel always and the tunnel must be kept alive with hello packets or something like that...
  Any link to some good documentation would be appreciated ?
  regards,
  Geert

  Trying to establish a vpn tunnel from a windows vpn client to a watchguard Firebox X700 VPN.
  Thanks.

• IChat behind NAT can't video chat with AOL IM

  I've been trying to get iChat to video chat with AOL IM for a month, with intermittent success. iChat to the apple test accounts works perfectly, but with AOL IM it always says I didn't respond. I finally used a packet sniffer to debug the protocol communication, and found the problem.
  My problem is my mac is behind a NAT firewall. iChat doesn't properly detect my public IP address. When it negotiates the video chat with AOL IM, it gives the local, private IP address only useful behind the NAT, not the public IP the NAT uses. I can see it right there in the video chat request packet.
  Apparently, when talking iChat to iChat, the programs ignore the IP address given in the negotiation, using the source IP address of the packet instead, which avoids the NAT problem. AOL IM on the other hand, ignores the source IP of the packet, and believes the (incorrect) address in the request. So AOL's attempt to set up a video channel goes off into the weeds. Opening ports is irrelevant.
  The reason it works for me part of the time is, my NAT happens to implement the "DMZ" functionality by giving the computer inside the same IP address as the public IP address. So it works for me if and only if I put my mac in the DMZ. In that state, iChat gets the right IP, the one addressable from the outside world.
  The NAT firewall that works (provided I put the mac in the DMZ) is a 2wire homeportal 1800. I've also tried with a DLink DI-524. It doesn't do the IP address trick, so no luck at all with it.
  It would be great if iChat would use a trick like http://checkip.dyndns.org/ to get the real, external, public address of my computer, and use THAT to negotiate the video chat with AOL IM.
  MacBook Pro   Mac OS X (10.4.5)  

  Hi Jim,
  On devices that do not have UPnP then yes it is either Port Forwarding with all 29 ports if doing Jabber, Bonjour and AIM or Port Triggering with fewer entries if you have that.
  If you have either UPnP or Port Triggering then you can effectively keep DHCP as they allow multiple computers and the entries or turning it on in the case of UPnP do not point to a specific computer.
  Staic addresses are best with Port Forwarding as there is a possiblity that the IP address will change with DHCP.
  The pics on this site show only Port Forwarding.
  There are however several versions of this router and also variations as to numbers in different countries so in fact you may have UPnP. Firmware updates from Netgear may also give you UPnP.
  10:12 PM Sunday; April 30, 2006

• User Initiated Remote Control - Behind NAT

  I must be missing something. I am try to allow a laptop to request a
  remote control session when it is disconnected from the network. When I
  right-click on the remote management agent the option to request a
  session is greyed out. Our user and workstation policy allow for the
  user requested session and the ability to accept connections accross
  NAT/Proxy. Assigning a password to the remote management agent also does
  not help. Any ideas?

  I keep seeing that if a machine is behind a NAT'd firewall, like home for
  instance, the user should be able to click on the Remote Management icon
  and select Request Session. If the machine is on the local network, all RC
  functions are fine. As soon as it's disconnected and behind a home
  firewall or not even that, connected via dial-up to the net these options
  go away. I have logged into the middle-tier via these methods and that
  produces no change in my remote control options.
  The error logs indicate that the workstation is not authenticated, which is
  obvious, and that neither policies will be active.
  Hope that helps...
  > On Tue, 25 Jan 2005 21:05:57 GMT, [email protected] wrote:
  >
  > > I am try to allow a laptop to request a
  > > remote control session when it is disconnected from the network.
  >
  > so how do you remote control?
  >
  > note: you need middletier installed to allow access from the outside of
  > your network... and IIRC running client32 will not really help in your
  > case...
  > --
  >
  > Marcus Breiden
  >
  > Please change -- to - to mail me.
  > The content of this mail is my private and personal opinion.
  > http://www.edu-magic.net

• DMVPN and NAT

  Hi All,
  I am trying out a simulation on my own at the moment to try figure out if it is possible for a Router at a branch office running DMVPN to have a NAT setting such that if anyone accesses this NAT, it will be directed to a server at the HQ office.
  Here is the full picture. I have multiple spokes in my DMVPN design with a single Hub. All spokes are able to access each other so this is a full mesh design. Each routers have their own Internet access so I would have a NAT Overload rule. In the real world, two of the spokes (SPOKE A & B) needs to route via one of these spoke (SPOKE C) in order to reach the hub because latency-wise, it is way better than going direct. Because the management now wants to build more web services but allow Internet users to access via one of the the remote spokes at SPOKE A & B. Sounds easy if i create a static NAT but if I create a static NAT rule at one of the remote spokes, the return traffic will be asymmetric. Problem is that every routers will have their own Internet access, by the time the return traffic heads back, the hub router would have already routed out via its own Internet because the source IP is public.
  Is there anyway that we can configure the NAT rule on the remote spokes so that it will also do a source NAT together with a destination NAT so that the return traffic will return to where it originated from (the remote spoke which has the static NAT)? Or is there any alternative solution? I don't mind hearing the pro and cons.
  Thanks in advance!
  Sent from Cisco Technical Support iPad App

  Desmond,
  I hope I'm understanding the problem :-)
  Mind that I'm talking about concepts here, I think technically those will work, but it's not something I've tested.
  Re. idea 1)
  When I was suggesting reverse proxy I was not suggesting WCCP, although it would be cool :-)
  NAT + Squid would be sufficent.
  I.e.
  Say the real sever IP is A.
  Squid's private IP address is B.
  Squid's public IP is C.
  What I had it mind is that when connecting on spoke X, everyone would be using IP address of C (from outside/DMVPN).
  That would be statically translated to B.
  Now B would go to A (real or private) to get to the actual content (you can also implment cache'ing on squid to further optimize the link utilization).
  A replies to B, B replies to whoever contacted them over internet (by going out through NAT).
  Re. idea 2
  Switching to NVI NAT could be an idea, you don't have to specify "inside" and  "outside".
  Marcin

• Cisco ASA 5505 IPSEC, one endpoint behind NAT device

  We have two Cisco ASA 5505 devices.
  Both are identical, however, one of them is behind a NAT device.
  We are attempting to create an IPSEC network.
  Site fg:
  <ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
  ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)
  Site be:
  <ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
  ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
  USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
  USG1: UDP port 500/4500 forwarded to 192.168.4.50
  It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
  Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED
  We verified / attempted the following:
  - NAT excemption on both sides for IPSEC subnets
  - Mirror image crypto maps
  - Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
  - Toggled between static to dynamic crypto maps on ASA1
  Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.
  Does anyone have any idea?
  195.txt contains show running-config of ASA3
  212.txt contains show running-config of ASA1
  log.txt contains somewhat entire log snipper of ASA1

  Hi,
  on 212 is see
  tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
  tunnel-group 195.xxx.xxx.xxx ipsec-attributes
  pre-shared-key
  When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.
  If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
  Regards,
  Abaji.

• H.323 gateway behind NAT

  i configued h.323 gateway (gateway is connected PSTN through FXO) behind internet NAT router and try to call that gateway from a softphone through internet. the dialed PSTN no is ringging but no voice for both ways. Pls refer the attached configuration. Is this a problem with NAT translation?
  Thanks in advance!

  Yes, you need a version of IOS that has NAT ALG. What IOS are you running?
  NAT with ALG can translate the embedded addresses in H225/H245.
  Cisco IOS NAT Application Layer Gateways
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801af2b9.shtml
  http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a00807819ce.html
  Please rate helpful posts.
  Dave

• RV082 - SRP527W - VPN behind NAT not working

  Hello,
  I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
  The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
  That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
  Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
  Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
  Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
  The log for the RV082 is almost empty about the link. Here's a snippet :
  Feb 10 19:01:52 2014
  VPN Log
  (g2gips0) #8: initiating Main Mode
  Feb 10 19:01:52 2014
  VPN Log
  (g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
  Feb 10 19:01:52 2014
  VPN Log
  (g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
  Feb 10 19:01:52 2014
  System Log
  gateway_to_gateway.htm is changed.
  Feb 10 19:09:08 2014
  VPN Log
  (g2gips0): deleting connection
  Feb 10 19:09:08 2014
  VPN Log
  (g2gips0) #8: deleting state (STATE_MAIN_I1)
  Feb 10 19:09:08 2014
  VPN Log
  added connection description (g2gips0)
  Feb 10 19:09:08 2014
  VPN Log
  listening for IKE messages
  Feb 10 19:09:08 2014
  VPN Log
  forgetting secrets
  Feb 10 19:09:08 2014
  VPN Log
  loading secrets from '/etc/ipsec.d/ipsec.secrets'
  Feb 10 19:09:09 2014
  System Log
  gateway_to_gateway.htm is changed.
  The log for the SRP527W is full of this :
  Dump pluto log message in syslog  : cat /var/log/messages |grep plutoJan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan  1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan  1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
  Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
  Best Regards

  Hi again,
  Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
  Anyway, i bought another router.
  Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
  My settings are :
  - Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
  - WAN Interface is assigned 192.168.0.246 / 24
  - Gateway for the WAN interface is 192.168.0.254
  - Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
  - Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
  When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
  Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
  I tried almost every configuration, none worked.
  Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
  So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
  If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
  Could you help me please ? Thank you