Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
2
Replies

RV340 site to site to ASA and IP Groups

f1services
Level 1
Level 1

‎05-14-2019 03:48 AM

I have an RV340 at a remote office connecting to an ASA at the main office. The tunnel is up and working fine and can access the remote private subnet at 192.168.1.x from the local subnet 192.168.0.x.

 

There are three different subnets at the main office (3.x, 5.x and 7.x), all of which can be individually reached by changing the remote network on the RV340 - thus proving connectivity.

 

When I create an "IP Group" that contains all three subnets on the RV and then specify that group in the S2S connection, I can no longer reach them. Thoughts?

 

 

Labels:
0 Helpful
2 Replies 2

Mathias Garcia
Level 1
Level 1

‎05-14-2019 07:02 AM

Probably some config mismatch between ASA and RV340.

I currently run a s2s vpn between 2 RV340 using an IP group with 6 subnets on one side without any problems. 

 

Unfortunately I haven't worked with ASA in a long time, so I don't can't really remember any possible caveats that might apply, just make sure that the object groups (subnets) match (mirrored) exactly between the ASA and the RV340. 

 

Perhaps show us your config (cleansed from sensitive information)

 

ip group.jpg

 

0 Helpful

nagrajk1969
Spotlight
Spotlight

‎05-12-2021 10:41 AM

Hi

 

In case you have still not solve your issue with ASA, then please refer to below points

 

The issue is with ASA...when configured as IKEv2-tunnel,

- so if you have configured a IKEv2-based s2s tunnel with IP-Groups/multiple-subnets, between RV340 and ASA, then just in RV340 in the Advanced page of the S2S tunnel config, check/enable the Non-RFC option and apply-save...it should work correctly now

- else change to IKEv1-based tunnel

 

====================================================

1. The issue with S2S tunnels using multiple subnets (with IP-Groups on RV34X) not working with IKEv2 when the remote IPsec-Peers are especially and specifically Cisco-ISR/Cisco11xx/Cisco-ASA and other such appliances is becos the BUG is with the Cisco-ISR/11xx/ASA/etc appiances/routers AND NOT WITH RV34X.

2. The problem/bug is that when IKEV2 is used, the present/existing Cisco-IOS/ISR/ASA/11xx appiances DO NOT SUPPORT THE IKEV2 RFC-STANDARD multiple traffic-selectors (read multiple-subnets) being received in the CHILD-SA payload during the tunnel negotiation....the Cisco-ISR/ASA/IOS/11xx routers are implemented to support ONLY 1 pair of Traffic-selectors during IKEv2-CHILD-SA negotiation.....

 

The RV340/345 supports the complete/latest RFC implementation for IKEv2-based tunnels....

 

3. So to establish IKEV2-based multiple subnets IPsec tunnel between RV340/345 and Cisco-ISR/IOS/ASA appliances, you need to apply the below setting/config on the RV340/345, when you are configuring for IKEv2 and using IP-Groups for multiple-subnets (either local-subnets or remote-subnets or both )

 

In the S2S tunnel config page in the advanced tab, enable/check the setting "Non-RFC"....and now it should start working without any issues just like it does for IKEv1

Note: The checkbox "Non-RFC" on RV34X means that the remote Peer does not support the complete RFC-standard for IKEV2-based tunnels (multiple-subnets)

 

Also this "Non-RFC" should also be selected in case the remote ipsec peer is a Fortinet-Gw...Fortinet also has a bug and does not support recieving multiple-traffic selectors in the child-SA payload during the IKEv2 negotiation....

 

 

 

 

===========================================================

 

 

 

0 Helpful
Customers Also Viewed These Support Documents