Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8322
Views
15
Helpful
23
Replies

RV345P - multiple subnets in site-to-site VPN

train_wreck
Level 1
Level 1

‎09-13-2017 08:47 AM - edited ‎03-21-2019 10:55 AM

 

We are in the process of testing out a new RV345P device to see if we can use it in a new location. We have an existing VPN configuration between 2 existing sites using 1921s and using certificate auth. I have successfully made the first S2S connection between the 1921 and the RV345P, shown below:

 

(1921) 192.168.222.0/28 --------- (RV345P) 192.168.128.0/29

 

The 1921 has 2 LANs configured on it, and I am trying to create the second phase 2 association for the 2nd subnet:

 

(1921) 192.168.168.0/27 --------- (RV345P) 192.168.128.0/29

 

However, when I try to add the 2nd S2S on the RV345P, I receive the following error:

 

ciscoerror.png

 

So how do I add a 2nd subnet in the phase 2 association? Surely this is a feature of this device? Your Cisco RV042 device that was released nearly ten years ago can do this.....

I can provide sanitized configs if necessary.

3 people had this problem
Labels:
0 Helpful
23 Replies 23

Isynth
Level 1
Level 1

‎12-02-2018 11:22 AM

Looks like there still is no solution fro this which is kind of ridiculous.

Why produce a VPN Router if it can not route two subnets on one VPN tunnel?

Anyway, as a workaround the following worked for me:

I set for one subnet as idintifier FQDN and for one the IP of the same remote site.

On the remoteside, which luckily is an ASA in my case, I set the identifier to auto.

The drawback is that I still can't have more than two subnets per Tunnel, three if the same works if you set FQD User for the third subnet. Still not the way VPN tunnels are intended to work.

 

Kindly looking on input on this. RV340 is a widely used model. I don't think only three people ran into this .....

0 Helpful

crs101
Level 1
Level 1
In response to Isynth

‎12-02-2018 12:50 PM

Cisco ended up buying back ours because they wouldn't work and even though the GRE's we supposed  to be a "feature" and working they would freeze / loose configs. After that we decided to use PF Sense (free) on entry level desktop computers with add in nic cards. Best thing we ever did, we send a bunch of traffic through them and they handle it well and we haven't had any issues with Open VPN networking multiple subnets and connecting 26 of our sites together. We run Virtual Machines with PF at our main sites and they work great and we can max out our full 1gig fiber  connections. Cisco wouldn't buy back the RV130s we had so we put them on ebay - Although they tried to make it right with the buy back of the 345's, I cant say I would ever buy a VPN from them again. 

0 Helpful

rturpin@brightwell.com
Level 1
Level 1
In response to crs101

‎02-25-2019 07:11 AM

To configure multiple phase 2 under a single IPSEC pahse 1 on the Cisco RV340.

Create an IP group containing all of the remote subnets

select this IP group under the remote group configuration of the IPSEC tunnel

train_wreck
Level 1
Level 1
In response to rturpin@brightwell.com

‎02-26-2019 09:42 PM - edited ‎02-26-2019 09:43 PM

rturpin@brightwell.com wrote:

To configure multiple phase 2 under a single IPSEC pahse 1 on the Cisco RV340.

Create an IP group containing all of the remote subnets

select this IP group under the remote group configuration of the IPSEC tunnel

Nope, that doesn't work. The dialog box on the VPN configuration page will only accept a typed IP address or subnet, not an address group name. (Address groups are nearly useless on this device).

0 Helpful

rturpin@brightwell.com
Level 1
Level 1
In response to train_wreck

‎02-27-2019 04:07 AM

I believe that the option has been available for the last 2 firmware releases. 

Firmware Information 
Firmware Version:1.0.02.16

2019-02-27_07h03_57.png

tomemerson
Level 1
Level 1
In response to rturpin@brightwell.com

‎02-27-2019 06:44 AM

Thank you rturpin, that looks exactly like what is needed.

 

 

 

0 Helpful

f1services
Level 1
Level 1
In response to rturpin@brightwell.com

‎05-18-2019 05:20 AM

Setup an IP group with all three of my remote subnets. Won't work. Specify the remote subnets individually one at a time and it works fine. ASA 5520 on the far end.

0 Helpful

jpdeboer1
Level 1
Level 1
In response to f1services

‎08-26-2020 06:14 AM

Did someone ever find a solution for this, or does someone know if Cisco is working on this?

0 Helpful

javier.camacho
Level 1
Level 1
In response to jpdeboer1

‎11-10-2021 08:37 AM

Hey.. I have tested on Cisco RV-345 Firmware 1.0.03.24 and IP Address Groups work well to link 2+2 of my VLANs (Subnets) via S2S. I am using the Cisco factory VPN settings, so, I haven't tested a more complex combination yet.

 

Keep in mind, when you change your IP Address Groups, it will not apply on your S2S established connection automatically, so, you have to disable S2S VPN connection on both sites then enable to apply the new IP Address Groups changes.

 

The IP Address Groups with option Subnets on both sites work pretty well, but I haven't had enough time to check if the S2S is 100% stable. Using Firewall "Access Rules", I have filtered individual IPs or group of IPs between sites.

0 Helpful
Customers Also Viewed These Support Documents