Solved: RV340 VPN Client to Site / L2TP

Rodny · ‎10-11-2021

Hello there,

We have changed our office router / firewall for an RV340, and we need to enable VPN connections for mobile clients with Windows / Mac / Android / iOS.

We believe that VPN Client to Site is the best option but the truth is that it is impossible for me to successfully configure this VPN Server for all clients.

We have read and rehearsed several recommendations that exist in the community, perhaps something changed because I see all the conversions of the year 2018, 2019, and 2020.

Is there a real step-by-step manual updated for Firmware 1.0.03.22?

Rodny-

nagrajk1969 · ‎10-13-2021

Hi

Firstly dont add any explicit/manual firewall-acl/etc rules of your own for VPN or otherwise....delete any existing rules and keep it to default state

Secondly, hopefully the discussions (and points/info mentioned ) in the below links will help you in solving your requirements in someways. Please kindly go thru the discussions

https://community.cisco.com/t5/small-business-routers/rv260-and-client-to-site-vpn-from-macos-with-native-client/m-p/4454941#M41779

https://community.cisco.com/t5/small-business-routers/how-to-setup-rv30-for-ikev2-vpn-with-eap-auth-only/m-p/4458382#M41821

https://community.cisco.com/t5/network-access-control/where-and-what-to-get-for-ike-certificates/m-p/4462610#M569628

Misc-Important-Info:

https://community.cisco.com/t5/vpn/ip-range-vpn-client-remote-access/m-p/4425731/highlight/true#M279109

Next, for Client-to-Site VPN-Servers sample configs on RV34X/RV160x/RV260x routers, you may kindly please refer to the attached documents

Note: For IKEv2 vpn-client connections using EAP, you will need to configure a Radius-server in the lan-side of the RV-routers (the relevant config documents attached mention the same for your reference)

Hope this is of some help

best wishes and regards

View solution in original post

nagrajk1969 · ‎10-16-2021

Hi

1. Windows10 supports:

a) IKEv2-only IPsec Native Client (native meaning built-in on windows10)

- this is a pure IKEv2-Ipsec client

- there is NO support for pure "Native IKEv1-based IPsec client"

- Certificate-only and EAP-based (EAP-Mschapv2) based authentications are supported

b) L2TP-with-IPsec client

- the ipsec component of this tunnel is IKEv1-based-only (there is NO IKEv2 support for the L2TP-with-IPsec client)

- the ipsec tunnel protects the inside L2TP-tunnel

- the L2TP-tunnel authentication requires username-passwd acct, and here PAP and CHAP is supported

- For Chap-user-auth, you will require to offload the authentication to a "Radius-server" in the lan-network of RV34X (and this you will configure in "user-accounts" section

- In case you dont have a Radius-server in your lan-network, then you can use ONLY PAP user-authentication. This wont require any other changes on the L2TP-server config on RV340, BUT you will need to change/select ONLY PAP for user-auth ON THE WINDOWS10 L2TP-CLIENT PROFILE SETTINGS

Additional Note: By default the L2TP-IPsec client on windows uses

IKEv1 Phase1: 3DES-SHA1-MODP1024

ESP-Phas2: 3DES-SHA1 (NO-PFS)

- so configure accordingly on the RV340 l2tp-server

Refer to the sample config doc in below link:

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5472-configure-layer-2-transport-protocol-l2tp-server-settings-on.html

View solution in original post

balaji.bandi · ‎10-11-2021

I do not believe anything changed : ( do you seeing any issue ?)

this video help to start :

https://www.youtube.com/watch?v=2OcCuCWBCoE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rodny · ‎10-13-2021

Maybe I'm not doing things right, but hey ... here I comment on what I'm trying to do.

1. Configure a VPN Server Client-to-Site on the RV340 to allow connections on Windows PCs, Mac, Android and iOS

2. This is the configuration I am trying on the RV340 and the MacBook, and the error message I received on the Mac and Windows client.

It seems like some firewall rule is missing to allow the VPN or is everything wrong?

NOTE: I am not using a VPN client, I am trying to use macOS skills to establish the VPN

nagrajk1969 · ‎10-13-2021

Hi

Firstly dont add any explicit/manual firewall-acl/etc rules of your own for VPN or otherwise....delete any existing rules and keep it to default state

Secondly, hopefully the discussions (and points/info mentioned ) in the below links will help you in solving your requirements in someways. Please kindly go thru the discussions

https://community.cisco.com/t5/small-business-routers/rv260-and-client-to-site-vpn-from-macos-with-native-client/m-p/4454941#M41779

https://community.cisco.com/t5/small-business-routers/how-to-setup-rv30-for-ikev2-vpn-with-eap-auth-only/m-p/4458382#M41821

https://community.cisco.com/t5/network-access-control/where-and-what-to-get-for-ike-certificates/m-p/4462610#M569628

Misc-Important-Info:

https://community.cisco.com/t5/vpn/ip-range-vpn-client-remote-access/m-p/4425731/highlight/true#M279109

Next, for Client-to-Site VPN-Servers sample configs on RV34X/RV160x/RV260x routers, you may kindly please refer to the attached documents

Note: For IKEv2 vpn-client connections using EAP, you will need to configure a Radius-server in the lan-side of the RV-routers (the relevant config documents attached mention the same for your reference)

Hope this is of some help

best wishes and regards

Rodny · ‎10-15-2021

Nagrajk1969,

I have finished the configuration to Apple OS and iOS, and now the I need to setup the same example but to Windows 10.

I make the configuration on the Router RV340 using L2TP but this not work on Windows 10 to me.

Rodny-

nagrajk1969 · ‎10-16-2021

Hi

1. Windows10 supports:

a) IKEv2-only IPsec Native Client (native meaning built-in on windows10)

- this is a pure IKEv2-Ipsec client

- there is NO support for pure "Native IKEv1-based IPsec client"

- Certificate-only and EAP-based (EAP-Mschapv2) based authentications are supported

b) L2TP-with-IPsec client

- the ipsec component of this tunnel is IKEv1-based-only (there is NO IKEv2 support for the L2TP-with-IPsec client)

- the ipsec tunnel protects the inside L2TP-tunnel

- the L2TP-tunnel authentication requires username-passwd acct, and here PAP and CHAP is supported

- For Chap-user-auth, you will require to offload the authentication to a "Radius-server" in the lan-network of RV34X (and this you will configure in "user-accounts" section

- In case you dont have a Radius-server in your lan-network, then you can use ONLY PAP user-authentication. This wont require any other changes on the L2TP-server config on RV340, BUT you will need to change/select ONLY PAP for user-auth ON THE WINDOWS10 L2TP-CLIENT PROFILE SETTINGS

Additional Note: By default the L2TP-IPsec client on windows uses

IKEv1 Phase1: 3DES-SHA1-MODP1024

ESP-Phas2: 3DES-SHA1 (NO-PFS)

- so configure accordingly on the RV340 l2tp-server

Refer to the sample config doc in below link:

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5472-configure-layer-2-transport-protocol-l2tp-server-settings-on.html

Rodny · ‎10-17-2021

DONE.

Perfect, better impossible

Thanks you…

Rodny-