Solved: IP ADDRESS GROUPS does not work on RV160w

larryakers · ‎09-29-2021

Trying to set up a small office with a RV160 and VPN tunnel to Corp office.

The VPN will work if I have only 1 subnet that I want to tunnel.

The "Ip Address Groups" and "Ip Group" options on the site-to-site vpn setup seem to be there for just this purpose however it will only pass whatever is the first subnet in the list.

nagrajk1969 · ‎09-30-2021

Hi

>>>The Corp Gateway is Palo Alto 5050. The multiple subnets are behind Corporate router.

>>>I'm using IKEV2.

>>>I now have a TAC case open SR 692270399 : RV160W-A-K9-NA// Vpn tunnel setup

>>>but is not resolved yet.

The issue is NOT with RV16x (it uses Strongswan for implementing the IPSec VPN Tunneling features). This supports the complete IKEv2-RFC standards

The issue is prevalent on PaloAlto router, becos its implementation does not support the full IKEv2-RFC standard, especially when it comes to use of multiple-subnets in IKEv2-based S2S IPsec tunnel

just for validation purpose, why dont you simply switch the existing s2s tunnel to use IKEv1 on both sides for this tunnel? Iam sure the tunnel (and the required muti-subnet traffic thru it) will work with IKEv1

As for IKEv2, there needs to be some changes done on PaloAlto router by connfiguring phase-2 traffic-selectors differently than what is applied now (i dont have a clue on how exactly to configure them on PaloAlto...i have never worked on it before...but the ipsec principles/standards are universal and remain the same irrespective of the configuration-options/settings used on any of the vpn peers

Also as a last resort, if it does get solved any time soon (which i very much doubt), you could also do the below config on both vpn-peers using IKEV2

- Assuming that the multiple-subnets behind the PaloAlto-Gw AND on RV160 you are using only 192.168.1.0/24 network as the local-subnet

On RV160x

-------------

profile: IKEv2-profile

Local-ID-Type: FQDN

Local-ID: rv160gw.test.local

Local-IP-Type: Subnet:

Value: 192.168.1.0/255.255.255.0

Remote-ID-Type: FQDN

Remote-ID: CorpGw.test.local

Remote-IP-Type: ANY

------

On PaloAlto

--------

- Change the existing s2s tunnel config to something corresponding to below settings (the option-names will be different on PA ofcourse)

Profile: IKEv2-profile

Local-ID-Type: FQDN

Local-ID: CorpGw.test.local

Local-IP-Type: ANY

OR

Note: Here on PaloAlto, maybe you will need to configure as below (for ANY)

Local-subnet: 0.0.0.0/0.0.0.0

Remote-ID-Type: FQDN

Remote-ID: rv160gw.test.local

Remote-IP-Type: Subnet:

Remote-subnet: 192.168.1.0/255.255.255.0

The above will work for both IKEv2 and also for IKEv1-based tunnel. BUT there is a caveat for RV160-side. With this config, not just ipsec tunnel traffic, ALL TRAFFIC (including traffic from local-network 192.168.1.x to Internet) will be routed via this IPsec tunnel to Corp-Gw and from there it will be routed further as per configurations on CorpGw router. You cant bypass this routing of All traffic thru the ipsec tunnel on RV160...you have to live with it with this configuration.

Anyways you can discuss further with the Cisco-TAC people and i think they will be able to solve your issue for sure

View solution in original post

balaji.bandi · ‎09-29-2021

Looks for me bug, Open a TAC case to investigate for you :

below thread help you.

https://community.cisco.com/t5/small-business-security/rv340-ipsec-site-to-site-with-multiple-subnets-ip-address-groups/td-p/4002635

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nagrajk1969 · ‎09-29-2021

what type of gateway (vpn-peergw) is there in the Corp office?

If you have a deployment something like below

local-subnet(s)?------[RV160]---ipsec-tunnel----[corp-gateway]----remote-subnet(s)?

-are there multiple subnets in the local-network (behind RV160)?

- or are there multiple-subnets in the remote-network (behind Corp-Gateway)

- and is the Corp-Gw a RV-router? what router is it?

- have you configured the tunnel using IKEv1 or IKEv2?

- try with only IKEv1?

Kindly please provide the clarfications to the queries...it will help in providing a possible solution or confirming if there is indeed a problem with the RV-router itself

Note: Please dont add any explicit manual permit/deny ACL rules on the RV-router thinking that you will require for vpn traffic. You do not need any manual explicit firewall permit/deny rules....the rules are all added automatically in the background by the system when tunnels are configured...so if there are any existing...please immediately delete them first

thanks

larryakers · ‎09-30-2021

The Corp Gateway is Palo Alto 5050. The multiple subnets are behind Corporate router.

I'm using IKEV2.

I now have a TAC case open SR 692270399 : RV160W-A-K9-NA// Vpn tunnel setup

but is not resolved yet. Thanks for your help.

nagrajk1969 · ‎09-30-2021

Hi

>>>The Corp Gateway is Palo Alto 5050. The multiple subnets are behind Corporate router.

>>>I'm using IKEV2.

>>>I now have a TAC case open SR 692270399 : RV160W-A-K9-NA// Vpn tunnel setup

>>>but is not resolved yet.

The issue is NOT with RV16x (it uses Strongswan for implementing the IPSec VPN Tunneling features). This supports the complete IKEv2-RFC standards

The issue is prevalent on PaloAlto router, becos its implementation does not support the full IKEv2-RFC standard, especially when it comes to use of multiple-subnets in IKEv2-based S2S IPsec tunnel

just for validation purpose, why dont you simply switch the existing s2s tunnel to use IKEv1 on both sides for this tunnel? Iam sure the tunnel (and the required muti-subnet traffic thru it) will work with IKEv1

As for IKEv2, there needs to be some changes done on PaloAlto router by connfiguring phase-2 traffic-selectors differently than what is applied now (i dont have a clue on how exactly to configure them on PaloAlto...i have never worked on it before...but the ipsec principles/standards are universal and remain the same irrespective of the configuration-options/settings used on any of the vpn peers

Also as a last resort, if it does get solved any time soon (which i very much doubt), you could also do the below config on both vpn-peers using IKEV2

- Assuming that the multiple-subnets behind the PaloAlto-Gw AND on RV160 you are using only 192.168.1.0/24 network as the local-subnet

On RV160x

-------------

profile: IKEv2-profile

Local-ID-Type: FQDN

Local-ID: rv160gw.test.local

Local-IP-Type: Subnet:

Value: 192.168.1.0/255.255.255.0

Remote-ID-Type: FQDN

Remote-ID: CorpGw.test.local

Remote-IP-Type: ANY

------

On PaloAlto

--------

- Change the existing s2s tunnel config to something corresponding to below settings (the option-names will be different on PA ofcourse)

Profile: IKEv2-profile

Local-ID-Type: FQDN

Local-ID: CorpGw.test.local

Local-IP-Type: ANY

OR

Note: Here on PaloAlto, maybe you will need to configure as below (for ANY)

Local-subnet: 0.0.0.0/0.0.0.0

Remote-ID-Type: FQDN

Remote-ID: rv160gw.test.local

Remote-IP-Type: Subnet:

Remote-subnet: 192.168.1.0/255.255.255.0

The above will work for both IKEv2 and also for IKEv1-based tunnel. BUT there is a caveat for RV160-side. With this config, not just ipsec tunnel traffic, ALL TRAFFIC (including traffic from local-network 192.168.1.x to Internet) will be routed via this IPsec tunnel to Corp-Gw and from there it will be routed further as per configurations on CorpGw router. You cant bypass this routing of All traffic thru the ipsec tunnel on RV160...you have to live with it with this configuration.

Anyways you can discuss further with the Cisco-TAC people and i think they will be able to solve your issue for sure

Sujoy Paria · ‎09-30-2021

Hi,

You haven’t mentioned the IP subnets you want to use on the site-to-site VPN tunnel. If possible, try using supernet in the VPN tunnel to merge those LAN IP subnets into a larger Network.

larryakers · ‎10-01-2021

IKEV1 works like a charm.... How frustrating.. If the option does not work for IKEV2 then it shouldnt be there.

Thanks to all of you.