We are currently using a RV345 router for our small business network. The router has a client to site VPN set up that developers use to remote into the office network. We also have a site to site tunnel set up to reach out to a partner organisation. The problem I'm having is getting traffic from the client to site VPN through to the site to site VPN.
The client to site has users on the 192.168.138.0/24 range (A).
The site to site allows traffic from 192.168.0.0/16 to 172.18.231.0/24 (B).
Both VPN's work independently but I can't seem to get traffic to go from site A to site B. I have looked at others with a similar problem but they are advised to run commands on the router, the problem I have is that as far as I can see the RV345 doesn't allow CLI access.
Apologies to ask but could somebody provide some guidance on how I could get the traffic from site A routed to site B through the web interface?
I do not have experience with the RV345. But looking at the documentation it seems fairly straight forward. You are assigning 192.168.138.0/24 to your VPN users. Can you tell us what subnet(s) are used for local connections on the RV345?
I did not see anything in the document that I looked at for the client vpn for RV345 that talked about split tunneling or tunnel all for the client vpn. Can you tell me when developers connect to the client vpn does all of their traffic come to the RV345 or is it just traffic for certain subnets (split tunneling)?
I did not see anything in the documentation for client vpn on RV345 that talks about DNS. What are the developers using for DNS when they connect to the client vpn? Is it possible that their DNS is not resolving addresses for resources reached through the site to site vpn?
Local connections are running on 192.168.139.0/24
Split tunnelling is being used on the client to site VPN with two entries one for the site to site subnet (172.18.231.0/24) and another for the local lan subnet (192.168.139.0/24).
The client to site VPN uses the router IP as the DNS server.
A traceroute shows that the packet gets as far as the router but then is not able to reach the site to site subnet.
Thanks for the information. When they did the traceroute from the client were they specifying the destination as an IP address or as a name?
Does the RV345 give you the ability to see the negotiated crypto ipsec sa? If so can you share that output?
I am assuming that address translation is configured on the RV345. Is there any possibility that the traffic from the client going to the site to site peer is being translated?
Does the RV345 give you the ability to see system logs? If so are there any log messages that might relate when the vpn client is attempting to access the site to site remote peer?
Thanks for the response.
The traceroute was using an IP address from right side site to site subnet. This resulted in hitting the router IP and then going no further, so the split tunnelling is working but it doesn't get any further than getting to the router.
I do have the ability to see the crypto configuration of the site to site, and the site to site connectivity works perfectly. Although the configuration is in GUI form it's not like looking at a ipsec.conf file as you don't have that low level access.
NAT is enabled on the router but not being a savvy network engineer i'm not sure how to see if the traffic from the client going to the site to site is being translated.
It does have debug logging enabled but I don't see anything from the logs for the following filter criteria:
So to me that's indicating that it's not even attempting to hit the site to site.
Could it just be that it needs some kind of routing configuration?
Thanks for the help Richard, I'm not a network engineer and with us being a small team we don't have a dedicated cisco/network engineer, so learning as I go with this one!
Can you show us how your RV345 is configured for address translation?
Since the client vpn appears to be working (for everything except for access to the remote site vpn) and since the site to site vpn is working, I would assume that this is not a routing issue. If this were on an ASA we would have this type of issue since by default the ASA will not transmit a packet out the same interface that it arrived on (traffic from client come in the outside interface and to reach the remote peer of site to site the packet must go back out the outside interface). Is the RV345 enough of a firewall to have a similar policy? Is there any config option about enabling traffic to forward out the same interface it arrived on?
NAT is enabled but that's as far as it's been configured, static NAT or any additional options have not been configured. I'm not even sure the router gives the ability to do much more than that.
There also doesn't appear to be an option or setting for forwarding traffic on the same interface. I've checked the manual and can't see anything in there mentioning this either.
I did try without the firewall enabled and still no luck. The only way to reach that site to site VPN so far is to be on the LAN network and not the VPN.
If you are having the same problem can you provide some details about your situation:
- what is the vpn client being used?
- what range of IP addresses are used for the vpn client sessions?
- what range of IP addresses are used for the lan on the RV345?
- is the vpn client successful in accessing the lan on the RV345?
- what range of IP addresses are used on the peer device of the site to site vpn?
- how is address translation configured on the RV345?