Re: rv042 unable to configure static routes

pckservices · ‎04-01-2009

Hi,

I'm using rv042 for vpn connectivity between 3 sites. These 3 routers are configured in nat mode. I have one with a static IP and the two others are initiating ipsec vpn with the one with the static ip. I want that the two subnet of the 2 site with dynamic ip can communicate each other but since both side are dynamic, we cannot initiate vpn between them. Here my setup

Site 1:

wan ip: static

lan ip : 192.168.1.1/24

Site 2:

wan ip: dynamic

lan ip : 192.168.10.1/24

Site 3:

wan ip: dynamic

lan ip : 192.168.4.1/24

I created a static route in the site 2 with these setting:

ip dest: 192.168.4.0

subnet mask: 255.255.255.0

gateway:192.168.1.1

hop:1

lan

I created a static route in the site 3 with these setting:

ip dest: 192.168.10.0

subnet mask: 255.255.255.0

gateway:192.168.1.1

hop:1

lan

But it does not want to work.

When I'm looking at the routing tables, I cannot see these routes. I also noticed that in routing table I cannot see route for vpn.

Somebody here know what's wrong?

Thank you,

Loïc Foucault

loicf@pckservices.com

Steven DiStefano · ‎04-01-2009

For Multisite, we recommend Full Mesh, since RV042 can handle pleanty of site to site VPN tunnels. This also eliminates the bottleneck of one site having the responsibility to handle all traffic among sites. I assume you set up the tunnels (you didnt share that so just double checking) defining hub and each spoke and those work, right. Its just a matter of defining 2 tunnels in each site (each site has a tunnel to each other site). This works and is supported.

By the way, Dynamic DNS is the answer (pretty cheap too) to have a FQDN assoicated with your two routers that get DHCP addresses, since as you know tunnels wont be very reliable if the WAN IP changes at some point. Or just go with static WAN IPs. Hub and spoke is not going to get around that.

In your case, I have heard this to be problematic since RV042 doesnt do dynamic L3 routing so pretty much hop to hop. So spokes cant see eachother.

Something you can try, is changing the subnet mask of the HUB local subnet to 192.168.0.0/16. That may fool it, but again, I dont recommend this and prefer full mesh.

pckservices · ‎04-01-2009

Thank you for you're advice!

So we will go with full with full mesh setup.

Since wan ip will not change often, I tried to setup vpn between 2 site with dynamic ip and fqdn with dyndns but both sides was keeping in waiting mode. So I think this is normal but can you confirm?

Steven DiStefano · ‎04-01-2009

Some excellent resources here on creating tunnels on RV042 and other Small Business Routers

http://www.cisco.com/en/US/products/ps9925/index.html

IPSec setup involves entering the information needed on both ends of the tunnel to handshake properly for Phase 1 (ISAKMP single bi-directional secure negotiation channel) or “main mode” as it is sometimes called and, later, setting up the peer-to-peer uni-directional Security Associations (SAs) for Phase 2 (“quick mode”), which is where the actual customer packets traverse. Using IKE with a Pre-Shared Key (IKE PSK) on both ends of each tunnel will work.

Check the VPN log to verify proper negotiation and establishment of tunnels. Then, navigate to the VPN Status page to check the status of each router’s VPNs.

But waiting is not a proper state. Should be 'Connected'

If they are flapping (up and down) thenb make sure you enable both Keep ALive & DPD on both sides.