cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8324
Views
15
Helpful
23
Replies

RV345P - multiple subnets in site-to-site VPN

train_wreck
Level 1
Level 1

 

We are in the process of testing out a new RV345P device to see if we can use it in a new location. We have an existing VPN configuration between 2 existing sites using 1921s and using certificate auth. I have successfully made the first S2S connection between the 1921 and the RV345P, shown below:

 

(1921) 192.168.222.0/28 --------- (RV345P) 192.168.128.0/29

 

The 1921 has 2 LANs configured on it, and I am trying to create the second phase 2 association for the 2nd subnet:

 

(1921) 192.168.168.0/27 --------- (RV345P) 192.168.128.0/29

 

However, when I try to add the 2nd S2S on the RV345P, I receive the following error:

 

ciscoerror.png

 

So how do I add a 2nd subnet in the phase 2 association? Surely this is a feature of this device? Your Cisco RV042 device that was released nearly ten years ago can do this.....

I can provide sanitized configs if necessary.

23 Replies 23

Isynth
Level 1
Level 1

Looks like there still is no solution fro this which is kind of ridiculous.

Why produce a VPN Router if it can not route two subnets on one VPN tunnel?

Anyway, as a workaround the following worked for me:

I set for one subnet as idintifier FQDN and for one the IP of the same remote site.

On the remoteside, which luckily is an ASA in my case, I set the identifier to auto.

The drawback is that I still can't have more than two subnets per Tunnel, three if the same works if you set FQD User for the third subnet. Still not the way VPN tunnels are intended to work.

 

Kindly looking on input on this. RV340 is a widely used model. I don't think only three people ran into this .....

Cisco ended up buying back ours because they wouldn't work and even though the GRE's we supposed  to be a "feature" and working they would freeze / loose configs. After that we decided to use PF Sense (free) on entry level desktop computers with add in nic cards. Best thing we ever did, we send a bunch of traffic through them and they handle it well and we haven't had any issues with Open VPN networking multiple subnets and connecting 26 of our sites together. We run Virtual Machines with PF at our main sites and they work great and we can max out our full 1gig fiber  connections. Cisco wouldn't buy back the RV130s we had so we put them on ebay - Although they tried to make it right with the buy back of the 345's, I cant say I would ever buy a VPN from them again. 

To configure multiple phase 2 under a single IPSEC pahse 1 on the Cisco RV340.

Create an IP group containing all of the remote subnets

select this IP group under the remote group configuration of the IPSEC tunnel


rturpin@brightwell.com wrote:

To configure multiple phase 2 under a single IPSEC pahse 1 on the Cisco RV340.

Create an IP group containing all of the remote subnets

select this IP group under the remote group configuration of the IPSEC tunnel


Nope, that doesn't work. The dialog box on the VPN configuration page will only accept a typed IP address or subnet, not an address group name. (Address groups are nearly useless on this device).

I believe that the option has been available for the last 2 firmware releases. 

Firmware Information 
Firmware Version:1.0.02.16

2019-02-27_07h03_57.png

Thank you rturpin, that looks exactly like what is needed.

 

 

 

Setup an IP group with all three of my remote subnets. Won't work. Specify the remote subnets individually one at a time and it works fine. ASA 5520 on the far end.

Did someone ever find a solution for this, or does someone know if Cisco is working on this?

Hey.. I have tested on Cisco RV-345 Firmware 1.0.03.24 and IP Address Groups work well to link 2+2 of my VLANs (Subnets) via S2S. I am using the Cisco factory VPN settings, so, I haven't tested a more complex combination yet.

 

Keep in mind, when you change your IP Address Groups, it will not apply on your S2S established connection automatically, so, you have to disable S2S VPN connection on both sites then enable to apply the new IP Address Groups changes.

 

The IP Address Groups with option Subnets on both sites work pretty well, but I haven't had enough time to check if the S2S is 100% stable. Using Firewall "Access Rules", I have filtered individual IPs or group of IPs between sites.