Solved: RV340 behind NAT/Firewall router - Page 2

roman.hiestand · ‎09-13-2021

Hi

We bought two RV340(W) to create a site-to-site VPN, eventually. But for now, we have basic configuration problems.

Both RV340 will be behind routers with active NAT/firewalls/DHCP. VPN-Router 1 will be in local network 1 with local IP addresses 10.150.150.1/24, with static IP addres 10.150.150.2 and default gateway 10.150.150.1. VPN-router 2 will be in local network 2 with local IP addresses 10.150.155.1/24, with static IP address 10.150.155.2 and default gateway 10.150.155.1.

On both VPN-routers I disabled the Firewall and NAT, allowed DHCP-redirection and remote web GUI access. The VPN-router will be directly attached to the main internet router (with NAT/firewall), and all other network clients will be connected to the LAN ports of the VPN-router.

I was able to access the web GUI from "outside" (the WAN port of the VPN router), but not from "inside" (LAN ports), also no traffic was forwarded from the LAN ports to the "outside" local network. Then I tried to configure VLAN 1 on 10.150.150.1/24, but from that point on the VPN-Router was not accessible anymore and I had to reset it to defaults.

Can somebody please tell me what the correct configuration for this use case is?

The internet routers in question are FritzBoxes, they can't be set to bridge mode, among others because they also provide IP telephony (VoIP <-> DECT).

Best regards

Roman

roman.hiestand · ‎09-21-2021

Thank you very much for the detailed instructions. I entered exactly the values from your instructions, except for the domain name of the remote endpoint. But the VPN tunnel remains "DOWN". If you want, I can send you copies of the screens, but I checked the details already several times.

Tonight I will try to reboot both RV340s, maybe this helps.

What is strange still is that one the site2 RV340 (it is actually a RV340W with WIFI) the icon "Connect" next to the s2s VPN is not visible, only in the site1.

nagrajk1969 · ‎09-21-2021

Oh Ok...could you update the firmware on both RV34Xs to v1.0.03.22 which is the latest i guess...or anything later?

I can vouch my Job on the S2S tunnel config that i sent you...i have used and deployed this similar configurations in similar scenarios "hundreds of time" in my career till now (of 24+ years)....so iam not at all doubting or worried about the s2s tunnel config that i sent you

ofcourse by bet/vouch is based on my assumption and bet that:

a) the ipsec tunnel negotiation protocol packets - IKE-udp-500, IKE-udp-4500, IP-Proto-50-ESP are being processed/forwarded thru by the ISP-Routers till both RV340s...

b) And in case you configure the "Remote-Endoint: FQDN - routerX.dyndns.org on both the RV340s or either of them..iam assuming and betting that both RV340s are able to successfully do a dns-resolve of the fqdn and resolve it to the "public-ipaddress" allotted by the respective ISP routers (which you have already confirmed that it happens becos you are accessing the GUI of the remote RV340 using the dyndns fqdn

so yes, you go ahead and update the firmware and also do a permanent-save and reboot

- Note: You dont need any firewall rules to pass/allow/forward/permit any of the IPsec/IKE/ESP traffic (including any nat-bypass rules after the tunnel is UP). On RV34X platforms, these required rules are all installed/applied implicitly in the background automatically when required with the respective configurations enabled/applied on RV34X....so dont add any manual explicit rules..they will create problems instead

roman.hiestand · ‎09-21-2021

It is working! Thanks to your help, the VPN tunnel is now up. I apologize for not realizing sooner, that the ISP routers did in fact not route the IKE-500 and 4500 to the VPN routers. I thought by defining the RV340s as "exposed host" they would receive all traffic, but in fact the ISP routers (FritzBox) also offer a VPN functionality, so they didn't let through this traffic. After switching off all VPN functions in the FritzBoxes, the VPN tunnel between the RV340s is now working.

Thank you very much for your help, it is much appreciated!