Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
4
Replies

Cisco RV320 VPN IPSec connects but unable to traffic

cn2
Level 1
Level 1

‎07-24-2019 07:41 AM

Hello everyone,

 

I've been reading a lot of posts with  similar issues but none of the solutions worked for me so far. I'm not an expert on network configuration but this device seems more user friendly and I think it wouldn't be so complicated to set a VPN config.

 

This is occurring on a client environment and I'm working with another team on the other side. 

 

So, here is the situation, we are trying to establish a VPN IPSec connection between sites. We successfully established it, phase 1 and phase 2, but I'm unable to ping or trace any working devices that they claim to be reachable. The main purpose of this VPN is to enable a HTTP service but I'm trying to figure the pings first as they are unable to see my requests.

 

As I said before, the RV320 has a friendly GUI and, correct me if I'm wrong, it automatically adds the routes instead of needing to create them manually. The local network is 192.168.10.0/24 and the other side is 192.168.55.0/24 and when I trace a route to 192.168.55.10, it remains stuck on my router (192.168.10.1).

 

The other team is saying that I have to manually add a route between 192.168.10.0 to 192.168.55.0 instead of the one that is generated when the VPN is up, but I don't believe that information is correct.

 

Here is the currently Routing Table

Destination IP Subnet Mask Default Gateway Hop Count Interface  

192.168.10.150255.255.255.255*0ppp0 
192.168.55.0255.255.255.0WAN IP35eth2 
WAN IP255.255.255.0*0eth2 
192.168.10.0255.255.255.0*0eth0 
default0.0.0.0WAN IP40eth2

 

Am I missing or adding something wrongly? I can give more info if necessary.

 

Thanks in advance.

0 Helpful
4 Replies 4

psandel
Cisco Employee
Cisco Employee

‎07-26-2019 01:20 AM

Hi Sir,

 

My name is Puneet Sandel and I am from Cisco small business technical support center.

 

As per your issues, Kindly check that whether you are able to ping the WAN IPs of both local and remote end. Also you need to make sure that under Advanced settings, Keep alive and DPD are enabled along with NetBIOS.

 

Also make sure you have done the following configuration for Phase 1 and phase 2:

 

Phase 1 DH Group : Group-2

Phase 1 Encryption: AES-256

Phase 1 Authentication: SHA-1

Phase 1 SA Lifetime: 28800 sec

Perfect Forward Secrecy: Enabled

Phase 2 DH Group: Group-2

Phase 2 Encryption: AES-256

Phase 2 Authentication: SHA-1

Phase 2 SA Lifetime: 3600 sec

 

The same settings need to be done on remote site as well. Also make sure Block WAN request is disabled under Firewall basic settings.

 

Please feel free to contact Cisco small business frontline team to get a case open with Cisco. We will definitely help you out in case the proposed changes do not work.

 

PFB the link to contact Cisco frontline team:

 

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

 

Regards,

Puneet Sandel

Technical Consulting Engineer

Global CX Centers – Small Business Support

0 Helpful

cn2
Level 1
Level 1
In response to psandel

‎07-29-2019 04:57 AM

Hi Puneet Sandel, nice to meet you!

 

I checked that I can't ping the remote end and when I try to trace it, the route stops almost at the end. Not sure if it's related to an ACL. The WAN IP is pinging fine.

 

The Phase 1 and Phase 2 authentication is a little bit different, should I change to the one you sent? And Block WAN is disabled like you told.

 

Phase 1 DH Group : Group-2

Phase 1 Encryption: AES-128

Phase 1 Authentication: SHA-1

Phase 1 SA Lifetime: 86400 sec

Perfect Forward Secrecy: Enabled

Phase 2 DH Group: Group-2

Phase 2 Encryption: AES-128

Phase 2 Authentication: SHA-1

Phase 2 SA Lifetime: 28800 sec

 

Either way, I will reach the support team.

 

Many thanks.

 

 

0 Helpful

psandel
Cisco Employee
Cisco Employee
In response to cn2

‎08-26-2019 11:31 PM

Hi Sir,

 

 

Kindly make the proposed changes in authentication, encryption and DH phase groups along with SA lifetime and check if the issue still persists.

 

Regards,

Puneet Sandel

Technical Consulting Engineer

Global CX Centers – Small Business Support

0 Helpful

cn2
Level 1
Level 1
In response to psandel

‎08-27-2019 05:41 AM

Hi Punnet Sandel,

 

I made the changes and the issue persists. Like I said, I can connect the VPN but I can't route the traffic. 

 

I tried reaching the Small Business Support Center and nothing worked so far.

 

Thanks,

 

Mark

0 Helpful
Customers Also Viewed These Support Documents