RVS4000 -- Fortigate 200A

I'm attempting to set up an IPSEC VPN connection between my RVS4000 at home and my Fortigate 200A at work. I've verified all Phase 1 and Phase 2 settings and checked to make sure the shared key is identical on both units. When I try to initiate a connection, the log shows the following:
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: next payload type of ISAKMP Hash Payload has an unknown value: 172
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: malformed payload in packet
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: sending notification PAYLOAD_MALFORMED to {REMOTE_IPADDRESS}:500
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [Dead Peer Detection]
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: Aggressive mode peer ID is ID_IPV4_ADDR: {REMOTE_IPADDRESS}'
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: responding to Aggressive Mode, state #62, connection "Fortigate" from {REMOTE_IPADDRESS}
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: STATE_AGGR_R1: sent AR1, expecting AI2
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: packet rejected: should have been encrypted
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: sending notification INVALID_FLAGS to {REMOTE_IPADDRESS}:500
Feb 25 10:50:55 - [VPN Log]: "Fortigate" #63: initiating Aggressive Mode #63, connection "Fortigate"
Feb 25 10:50:56 - [VPN Log]: "Fortigate" #63: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level
Feb 25 10:50:56 - [VPN Log]: "Fortigate" #63: sending notification INVALID_PAYLOAD_TYPE to {REMOTE_IPADDRESS}:500
Feb 25 10:50:58 - [VPN Log]: "Fortigate" #63: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level
Feb 25 10:50:58 - [VPN Log]: "Fortigate" #63: sending notification INVALID_PAYLOAD_TYPE to {REMOTE_IPADDRESS}:500
No connection is ever made. Does anyone know what I should be looking at to fix this???

Hello,
I am not sure of what the problem is, however there are several messages below for why a packet or communication is denied. "packet should be encrypted, message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level, etc ..."
It looks like something in the config parameters is not matching.
Does Fortigate have any literature for how you can connect different vendor's VPN? Is there a 'standardized' method for connecting multiple vendors with the Fortigate?
Perhaps someone much smarter than me on this community has some additioanl suggestions, however I would suggest checking with Fortigate and seeing if they have a config guide that explains how to connect to 3rd party vendors and which settings will be standard and accepted.
Also, you may consider posting your config here. Just be sure to remove any information that is sensitive and you don't want to be shared.
HTH,
Andrew Lissitz

Similar Messages

Cisco jabber for mac over fortigate vpn problem

Hi all,
We have installed the cisco jabber for mac successfully.Jabber client able to register locally successfully.
Calling and other features working properly. Jabber IM also working fine.
But when we try over vpn its shows error."services are missing".All the ports are open on fortigate firewall.

If you have detailed diagnostics from the Jabber Mac client, this would provide some more context to why it's displaying those errors. (Help > Detailed Logging enabled) (Help > Report a problem)
Another thing to check for would be DNS resolution of the configured servers when the Mac is VPN'd in. If Jabber cannot resolve the DNS name, it will not know where to connect to.
If the diagnostics are pointing towards a connectivity problem, but the firewall says it's wide open, then taking a packet capture on the Mac where Jabber is trying to register may illustrate what's going on at the network layer.

Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problem

any1 can help me ?

How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

Dear All
I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
We have one SG300 switch in the office and the rest are basic switches.
Our firewall/router is a Fortigate UTM 240D
Find the attached network diagram for the issue.
Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)?
Thanks.
- See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

Complete these steps in order to configure the devices for this network setup:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
Create WLANs for the Guest and Internal Users
Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port

ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

      I am facing strange issue on my asa and client Fortigate fw.
We have site to site tunnel with 3des and sha and DH-5 on asa
3des sha1 and dh-5 on Fortigate.
Tunnel came up when configured after some time it went down and it is throwing below errors. Please
some one help me here.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
Mum-PRI-ASA#

Hey All,
I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
Eror Before Reload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588) , : MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
Isakmp phase completion After reload
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
SENDING PACKET to xx.xx.xx.xx

How to set the default route on a RVS4000 to point to a gateway in the LAN

Hi
The dialog in the RVS4000 for static routes does not allow to set the default route to point to a gateway in the LAN. Clearly this is either a bug or a feature of the web-interface and not a restriction of the box, which runs some kind of linux. So my question is there a way around this problem rather then defining routes to n-class A networks to cover the internet? Like a terminal access to set the default route?
Thanks and cheers
Frank

Hi David
Thanks for your reply. I did already the first part and it seems that I presumed wrongly that the RVS4000 can be used as a layer 3 switch, instead it is only a 1-port gateway. Not that there is a technical limitation from the hardware or the OS of the box. It does layer 3 routing e.g. for its VLAN's. The only point to stop it from having the capability which I expect from something called router is to set its default route to the right gateway independant which port might be connected. The reason why I want a LAN port pointing to the gateway and do not use the WAN port without firewall is of course the VLAN capability of the LAN ports. The idea of the RVS is to bundle two nets, including the one where the gateway is on, and send it to a WAP4410N box, which nicely makes them wireless with different SSID's. Actually I have two ports connetced to the core network, if I am forced to have only the WAN port connected to the core, due to this artificial limitation, I would have to reconfigure a bit. Therefore I try to find an easier solution setting the route by "hand".
Cheers Frank

Rvs4000 ip port forwarding

Hi,
i have a little problem with the configuration of my rvs 4000 router;
1 - I have purchased 8 static ip address with my adsl contract, from 213.136.137.234 to 213.136.137.241
2 - wan settings of my rvs4000 are like below:
Connection Type:
Static IP
Interface:
Up
IP Address:
213.136.137.234
Subnet Mask:
255.255.255.248
Default Gateway:
213.136.137.233
DNS1:
62.94.0.41
DNS2:
62.94.0.42
3 - now my problem; i have already configured several port fowarding using "single port forwarding" function of my router but with this metho i can only forward internet request arriving to 213.136.137.234. How can i do port forwarding for my other ip addresses?
Thank you

With this router, you will not be able to port forward to those public ip addresses. This router does not support that function. What you would need is one of our rv series routers, like the rv042, rv082, or the rv016. With these devices you can do what is called one to one nat and reference a public address to a private address behind the firewall. The rvs4000 router does not have that function.

RVS4000 problem with QOS

Hello.
I have problem with bandwidth management on my RVS4000.
That is the way how i done it:
All traffic (TCP & UDP on all ports)
IP range 192.168.0.2 - 192.168.0.2 (My IP adress)
Guaranted download speed 1kbps
Maximum download speed 5000kbps
after saving setting and rebooting router
I have maximum download speed on my PC 12000kbps
Please help me to solve this problem.
Why QOS doesnt work ?
By the way sorry for my english i do not ue this language very often
Looking forward for some advices.

Jaroslaw,
Please call into Cisco Small Business Support Center and speak with next available engineer (Support Numbers)
Jasbryan

RVS4000 - QuickVPN on Windows 7

I have searched on and off for 2 days to fix this problem, with no luck....so here goes:
I have an RVS4000 installed and have VPN setup and running.
From one office I am able to connect using QuickVPN 1.4.1.2 from a Windows XP machine, but I can't connect from a Windows 7 machine at the same location. It gets to "Verifing Network" and hangs everytime.
I've tried with and without Windows Firewall enabled, with the same results.
I've made rules in Windows Firewall for the program, and ports TCP 443, 60443 and UDP 500, 4500. I've also enabled ICMP.
I've uninstalled / reinstalled and tried running in compatibilty mode, with the same results.
I need to get this to work for when I travel.....any ideas?

A call to support will likely have to be my next step, but looking at the amount of questions on this around the internet....with no real answers....I would think it would be in Cisco's interest to get this information out for people to find and quickly resolve.
Also....I'm running no third-party firewalls / security on my machine.

SG300 and RVS4000 DHCP problems

We recently deployed SG300-28 to replace an old 3Com switch.
The setup:
RVS400 router and all workstations and server are plugged into the SG300 switch.
The problem:
Windows 7 workstations are unable to obtain IP addresses from the server which is also plugged into the switch.
If however, we plug in the worstations into the 4 port switch on the back of the RVS4000 (the router), they get IPs from the server no problem.
This worked just fine with the old 3Com switch so we filed it under the Small Business Switches category.
Any comments/tips appreciated! Thanks in advance!
Pavol

Pavol,
Please make sure the SG300 switch is running latest firmware 1.1.2.0 , also this is new code so please factory reset the switch after the upgrade. If you need assistance in upgrading please call Cisco Small Business Support Center @ 1-866-606-1866
After the upgrade please repost how these devices are connected and the configuration of your RVS4000 & SG300 series switch. Are you using RVS4000 for your DHCP server?
Also make sure your RVS4000 is running latest firmware as well.
Jasbryan

Will this work? (RVS4000 config)

I have not worked with the lower end routers, so I am working on a hunch. I have a dlink wireless router handing out addresses through dhcp for public access. I also have my private network on a switch with a server handing out addresses. I would like to conect both of these through the RVS4000 but keep them segregated. If I VLAN the two ports on the switch side of the RVS4000 but do not enable inter-VLAN routing, will this router act as the gateway for both of those subnets? The wireless router is not capable of tagging the traffic as part of a VLAN. I can set VLANs on the switch and trunk it to the router, if this router can handle that. Your thought would be appreciated. If you have better ideas, I would welcom eth esuggestions. I have not purchased this router; I am in the design phase. Budget is an issue.

Darren, RVS4000 should work well in your scenario.

Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN

I have my QWEST DSL Router 2700-Gateway using a static public IP address
This is setup to be the DHCP and assigned 192.168.0.2-50
I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
Here is how I tried with my medium knowledge of networking...
I have configured the RVS4000 as:
LAN Static IP
192.168.0.115
Configured as DHCP Relay
the 2700-Gateway router saw the device so:
Configured firewall on 2700-Gateway for PORT FORWARDING:
TCP port 1723 for PPTP tunnel maintenance traffic
UDP port 47 Generic Routing Encapsulation (GRE)
UDP port 500 for Internet Key Exchange (IKE) traffic
UDP port 1701 for L2TP traffic
--> 192.168.0.115
This did not work.

gv,
Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV, then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
My Finding:
I already had latest Firmware 1.109 from purchase
On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
The new firmware allows this, as they fixed the vpn listening port override to port 60443..
I port forwarded this to my router gateway 192.168.1.1
In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
This configuration let me connect successfully.
If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
So everything seems to be connecting.. But know get "The remote gateway is not responding" popup. I tried the suggested MTU setting with no luck.
After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
Things like this should just not be so hard..
So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
Message Edited by MOTOGEEK on 12-10-2007 11:05 PM

Install RVS4000 with DSL modem / router combo?

I'm trying to install a RVS4000 VPN router in our small office. My problem is that AT&T has installed a Netopia 3347-02 DSL combination Modem / router. So I can't connect the RVS4000 directly to a dsl modem, the only access I have is on the Lan side of the Netopia. When I tried to set the WAN side of the RVS4000 to the same subnet as our Lan, it wouldn't let me do that. I tried setting the Lan side of the Netopia and the Wan side of the RVS4000 to (the same) slightly different subnet, but that didn't work either. The only way I can get internet access going through both devices is to connect the Lan side of the Netopia to the Lan side of the RVS4000, but that bypasses the VPN, correct? The reason I bought the RVS4000 is for the VPN. Is there a way to configure the RVS4000 in this situation, or do I need to get a plain old DSL modem without a built in router?
Thanks, Scott

Scott,
You should not need to get another device to use the VPN functions of the RVS4000. To setup the equipment you have, you just need to place the Netopia DSL router into "bridge" mode. This will then allow you to connect the DSL router to WAN (internet) port on your RVS4000. Once in bridge mode, your WAN port on the RVS4000 will receive its IP address from AT&T, which will then take over all routing functions, and enable you to use the VPN feature of this router.
If your DSL provider is using PPPoE, you will need to select "PPPoE" on the WAN setup page of the RVS4000, then enter the username and password into the RVS4000 so that it can authenticate and get an IP address from AT&T.
To place the Netopia DSL router into "bridge" mode, I am including a link to one of their user guides. The section for placing it in bridge mode starts on page 107.
http://www.netopia.com/support/hardware/SoftwareUserGuideV761-Clsc.pdf
Thank you,
Darren

How do I set up the port interface for the WAN side of my RVS4000 to 100T Full Duplex?

How do I set up the port interface for the WAN side of my RVS4000? The ISP says I need to set it to 100T Full Duplex, but where would I do that? In the Router's administration GUI I can't find any options to make such settings for the WAN side.

The setup of the folders in Finder is entirely up to you. Whatever suits your needs is what you should do. Lightroom will be fine no matter how you set it up.
So I'm not really sure what your question is.

How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000

Hello all.
This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.
On the site of Router Scientific Atlanta Cisco 2320 this is some info:
WAN IP: A.A.A.A
Router Local IP: 192.168.5.1
Subnet: 192.168.5.X
Subnet Mask: 255.255.255.0
On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info:
WAN IP: B.B.B.B
Router Local IP: 192.168.0.10
Subnet: 192.168.0.X
Subnet Mask: 255.255.255.0
Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
I show the configuration on Router Scientific Atlanta Cisco 2320:
I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:
If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up:
As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10
I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
I wish that this help to anyone that need to do this.
Best regards!

Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch

RVS4000 -- Fortigate 200A

Similar Messages

Maybe you are looking for