Linksys → [VPN] ERROR: This tunnel should not be initiator BEFVP41

Hi. I am new to the group and to VPN's. I am looking to test a configuration by running a VPN from my home to my office. If it works, I will install this type of connection in all of our retail stores for our POS system.

I purchased 2 Linksys BEFVP41's and have them configured (I believe) correctly. On my home system, when I press the connect button, the system pauses for a few seconds and then returns, with the status message still reading DISCONNECTED. I check the log and I am getting the message: IKE[1] ERROR: This tunnel should not be initiator !

Can anyone help me understand what I need to check on to fix this problem? I went to the Linksys web site and checked the knowledge base, but this message doesn't appear in any of my searches.

Thanks in advance.

Doug

is the remote secure gateway set to any? If so try keying in the ip instead of any. The message means there is no one to connect to. The router has to know where to go.(IP)or (FQDN).

Are you referring to the REMOTE SECURITY GATEWAY on the local Linksys? Or the way the gateway is configured on the Corporate end? My local REMOTE SECURITY GATEWAY is set to IP Addr. - 216.9.XXX.XXX which is the IP address of my corporate end of things.

Need more info on your settings? Especially remote secure gateways. If you have your router set to any then it cannot intitiate the tunnel as it doesn't know where to go. In that case you would simply hit connect on the router on the other side first.

My system settings at home:

Computer IP Address: 192.168.14.100
Linksys IP Address: 192.168.14.254
Local Secure Group: 192.168.14.0
Mask: 255.255.255.0
Remote Secure Group: Any
Remote Security Gateway: 216.9.XXX.XXX (IP Address of remote [corporate] site. IPSec configured to passthru to the Linksys unit by ISP.)

Key Management: Auto (IKE)
Preshared key file: ZZZZZZZZZZZ

My system settings at office:

Static IP Address issued by ISP: 216.9.XXX.XXX
Computer IP Address: 192.168.15.9 - 192.168.15.36
Linksys IP Address: 192.168.15.7
Local Secure Group: 192.168.15.0
Mask: 255.255.255.0
Remote Secure Group: Any
Remote Security Gateway: Any (Have also tried as IP address issued via DHCP on cable modem at home)

Key Management: Auto (IKE)
Preshared key file: ZZZZZZZZZZZ

Encryption and Authentication match at both ends.

My home Linksys unit recognizes the DHCP address issued (it shows under the status screen.) I can surf the web and access all normal internet functions (http, telnet, pop3, etc.) I can ping the corporate IP address and it responds. Although when I set it up for our office on a permanent basis, for this test I am only interested in establishing the VPN while originating from my home. My goal is to VPN into the corporate LAN and telnet into a server we have their that runs our POS system. Once I do that, I can run some tests to see if this is what I want to deploy in our stores.

Help, as always, is greatly appreciated.

-Doug

Your Home Tunnel cannot be the initiator.

I forget if this works but, try pinging your WAN IP of your office from your Home side and see if it becomes connected.

You may be right about my home tunnel not being able to be the initiator, but why is this? Eventually, I want both ends to be able to initiate the tunnel as needed (sometimes I will be at corporate and need to connect to the store LAN, but most of the time, they will need to connect to the corporate LAN to access the POS system.)

If both ends are setup to accept incoming requests from the remote gateway, why the restriction from the home side? What if I establish the connection from the corporate side, and then reboot my home PC? I will have lost the connection, with no way to re-establish it from home.

I can ping the IP address of the corporate end just fine, but I don't have access to anything past that. I will try to connect to my home computer from work when I go in today, but that severely limits my functionality of the VPN. If I am at home, and need to connect to the corporate LAN on a Saturday, no one will be in the office to initiate the connection. And if I have to go in to initiate the connection, then I don't need the VPN because I will just do all of my work in my office.

Seems to me that I either don't understand how VPNs are supposed to work (a distinct possibility), or I simply have something setup wrong.

Thanks for your help.

-Doug

OK, now I am really confused. I get into work this morning, I try to connect to my home VPN Router and I get the same error on the corporate side router - ERROR: This tunnel should not be initiator. So it seems that somehow I have setup a VPN that cannot be initiated from either end. Oh well!

Any other ideas?

Try this.

From your home side, ping -t the other router. Its LAN IP.

This should "connect" the tunnel.

At home configure your remote secure group, and at the office you have to configure the remote secure gateway and group if you want to be able to initiate from either end. With any of the remote information set to any, you can't initiate the tunnel from that end.

OK, so I got more specific with my settings. Everything seems to now be setup as suggested and I am now seeing a change in my logs.

I now see a IKE[1]Tx >> MM_I1 with the remote (corporate) gateway IP address, and then a RX from the corporate IP address followed by another TX.

These are followed by 2 IKE[1] ISAKMP messages. Based on this, it appears that I am communicating with the Linksys device on the other end (Is this correct?), however, on my VPN screen it still indicates DISCONNECTED.

I am sure that I am doing something wrong, but I don't know what to do next. Any ideas?

Thanks

Doug

Actually, upon re-review, it turns out that the different messages may have come from just before I left work and I tried to connect from there to my home connection.Every time I try to connect I get:
2002-12-19 17:45:37 IKE[1] Tx >> MM_I1 : 216.9.XXX.XXX SA
where the 216.9.xxx.xxx is my corporate gateway ip address.
[text was edited by author 2002-12-19 17:50:11]

If the VPN software on both ends of the tunnel are compatable this is easy to set up. Just a quick review:

Corporate side:
VPN gateway: set to your linksys WAN ip
Local network: 10.0.0.0 255.0.0.0 (assuming your company uses the whole class A network)
remote network:192.168.1.0 255.255.255.0

Linksys side:
VPN Gateway: set to your corporate vpn device's public Internet IP
Local network:192.168.1.0 255.255.255.0 (your home network)
remote network:10.0.0.0 255.0.0.0

Pick the same encryption type on both ends like: 3DES
Pick the same Hash algorithm on both ends like: SHA
Phase one key lifetime 57600
Phase two key lifetime 28800
Group 1024

The settings must be defined the same on both ends. Tell your corporate administrator what your settings are.