cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1040
Views
0
Helpful
5
Replies

Site to site connection

r.prandini
Level 1
Level 1

Hi, 
I came from Zyxel and we have IPSEC site to site problem, so we switchet to CISCO rv260

First time in CISCO world.

I have create a IPSEC site to site tunnel and this was simple

I can connect to remote IP 62.97.2.6 the site to site is connected


-------------------------------
Now the problem it looks like it can't forward traffic .
Under Zyxel i have a rule that forward traffic from my net to VPN if the destination is 10.201.104.30/8
Under Cisco i have seen The concept of ip group but i have not yet used them
My purpose is to do this:
If traffic came from any pc in the LAN and destination is 10.209.21.114 or 10.209.24.11 or 10.100.9.1 the traffic should go to the VPN tunnel 

my wan is 192.168.0.2/24
my RV260 is 192.168.1.1
Routing table is empty
vpn status say connected,
local group is 0.0.0.0/0
and
remote group is 10.201.104.30/8
Remote gateway is 62.97.2.6


HOW to forward traffic correctly and  How to monitor traffic packet ?
Thanks.


1 Accepted Solution

Accepted Solutions

nagrajk1969
Spotlight
Spotlight

Hi

 

Please note that all of these RV160/260/RV34X routers support ONLY policy-based ipsec tunnels, and NOT route-based-ipsec-tunnels (such as using VTI)...

- so on RV-routers after you have configured the vpn tunnels you cannot, you need not, you are NOT REQUIRED to add any "routes" to route traffic via the ipsec tunnel

 

In your case, there is a different issue which is mostly due to the s2s tunnel configs applied on the remote-gateway (becos you said it could be fortinet/cisco-isr/asa routers)

 

So kindly Refer to the below points and try out the attached sample configs. And then we can analyze further


1. Your vpn-deployment details:
------------------------
my wan is 192.168.0.2/24

my RV260 is 192.168.1.1

Routing table is empty

vpn status say connected,

local group is 0.0.0.0/0

and

remote group is 10.201.104.30/8
Remote gateway is 62.97.2.6
--------------------------------


2. you also mentioned that the remote gateway could be a Fortinet or a Cisco-Router (non-RVseries) such as Cisco-ISR for example

a) Well FYI, there are issues on Fortinet(and/or Cisco-ISR/ASA routers) when it comes to IKEV2-based S2S Tunnels with Multiple-Subnets.
b) And additionally, there have issues with configuring ipsec tunnels using multiple subnets on Fortinet (either with IKEv1 or IKEV2)


3. Based on your inputs above and existing configuration applied for s2s-vpn tunnel, we can assume that your Logical VPN-tunnel deployment is as below:


(local-subnets)----vlanX[RV260]wan(192.168.0.2)----(0.1)[ISP-Router]nat-----{internet}----(62.97.2.6)wan[Remote-GW-Peer]lan----(remote-subnets)


a) Local-subnets: 192.168.1.0/24,...and <other subnets?....how are they connected to RV260-lan-side?>

- You are defining your Local-subnets as 0.0.0.0/0 for the local traffic-selector in vpn tunnel config
- if you have ONLY 192.168.1.0/24 network in local-network...why are you using 0.0.0.0/0

NOTE: In the S2S tunnel config on RV260, the 0.0.0.0/0 value can be selected as ANY in the "Local-IP-Type"


b) Remote-subnets: there are multiple subnets in the 10.x.x.x network...so you are defining our remote-subnet as 10.0.0.0/8 for the remote-traffic-selector

 

Note:

- you should use on RV260, the subnet value of 10.0.0.0/8, (instead of 10.201.104.30/8, etc), it covers all the remote-subnets in one summarized network. Especially keeping in mind about point-2 above

- the same should be used on the Remote-Gw too, subnet 10.0.0.0/8


c) Since your wan-ip on RV260 is 192.168.0.2 which is in the Private-IP-Address-Range(as per RFC-1918), it would mean that you are sitting behind a NAT-Router (which is your ISP-Router).

- This 192.168.0.2 is NATed to a Public-Internet-IPaddress
- so this would mean that your S2S VPN tunnel would be using NAT-T (NAT-Traversal) which would be automatically negotiated between the Peers during the IKE-protocol negotiation


4. So looking at the above info and especially refering to point-3c (the NAT-T), i would suggest that

a) The vpn tunnel config on RV260 should be as in attached doc
b) On the Remote-Gw side the s2s vpn tunnel should be having a corresponding "MIRRORED" config applied
c) As mentioned in Point-2a above, you can first try with using IKEv1-based tunnel config, and then once it works, you can try next with IKEv2 and narrow down the routing issues in ipsec tunnel

 

5. Additionally, once your tunnel is in place and you start sending traffic from 192.168.1.x to 10.x.x.x, can you do a packet-capture by tapping in between the RV260-wan and the ISP-Router?...

 

(192.168.1.x)----(1.1)vlanX[RV260]wan(192.168.0.2)----{do a packet-cap-here}------(0.1)[ISP-Router]nat--{internet}

 

 

 

View solution in original post

5 Replies 5

nagrajk1969
Spotlight
Spotlight

is the remote gateway also a RV260?

 

No, It is in the hand of our customer. It can be a fortigate or a cisco. The tunnel is working using zyxel (connection and forwarding) 

nagrajk1969
Spotlight
Spotlight

Hi

 

Please note that all of these RV160/260/RV34X routers support ONLY policy-based ipsec tunnels, and NOT route-based-ipsec-tunnels (such as using VTI)...

- so on RV-routers after you have configured the vpn tunnels you cannot, you need not, you are NOT REQUIRED to add any "routes" to route traffic via the ipsec tunnel

 

In your case, there is a different issue which is mostly due to the s2s tunnel configs applied on the remote-gateway (becos you said it could be fortinet/cisco-isr/asa routers)

 

So kindly Refer to the below points and try out the attached sample configs. And then we can analyze further


1. Your vpn-deployment details:
------------------------
my wan is 192.168.0.2/24

my RV260 is 192.168.1.1

Routing table is empty

vpn status say connected,

local group is 0.0.0.0/0

and

remote group is 10.201.104.30/8
Remote gateway is 62.97.2.6
--------------------------------


2. you also mentioned that the remote gateway could be a Fortinet or a Cisco-Router (non-RVseries) such as Cisco-ISR for example

a) Well FYI, there are issues on Fortinet(and/or Cisco-ISR/ASA routers) when it comes to IKEV2-based S2S Tunnels with Multiple-Subnets.
b) And additionally, there have issues with configuring ipsec tunnels using multiple subnets on Fortinet (either with IKEv1 or IKEV2)


3. Based on your inputs above and existing configuration applied for s2s-vpn tunnel, we can assume that your Logical VPN-tunnel deployment is as below:


(local-subnets)----vlanX[RV260]wan(192.168.0.2)----(0.1)[ISP-Router]nat-----{internet}----(62.97.2.6)wan[Remote-GW-Peer]lan----(remote-subnets)


a) Local-subnets: 192.168.1.0/24,...and <other subnets?....how are they connected to RV260-lan-side?>

- You are defining your Local-subnets as 0.0.0.0/0 for the local traffic-selector in vpn tunnel config
- if you have ONLY 192.168.1.0/24 network in local-network...why are you using 0.0.0.0/0

NOTE: In the S2S tunnel config on RV260, the 0.0.0.0/0 value can be selected as ANY in the "Local-IP-Type"


b) Remote-subnets: there are multiple subnets in the 10.x.x.x network...so you are defining our remote-subnet as 10.0.0.0/8 for the remote-traffic-selector

 

Note:

- you should use on RV260, the subnet value of 10.0.0.0/8, (instead of 10.201.104.30/8, etc), it covers all the remote-subnets in one summarized network. Especially keeping in mind about point-2 above

- the same should be used on the Remote-Gw too, subnet 10.0.0.0/8


c) Since your wan-ip on RV260 is 192.168.0.2 which is in the Private-IP-Address-Range(as per RFC-1918), it would mean that you are sitting behind a NAT-Router (which is your ISP-Router).

- This 192.168.0.2 is NATed to a Public-Internet-IPaddress
- so this would mean that your S2S VPN tunnel would be using NAT-T (NAT-Traversal) which would be automatically negotiated between the Peers during the IKE-protocol negotiation


4. So looking at the above info and especially refering to point-3c (the NAT-T), i would suggest that

a) The vpn tunnel config on RV260 should be as in attached doc
b) On the Remote-Gw side the s2s vpn tunnel should be having a corresponding "MIRRORED" config applied
c) As mentioned in Point-2a above, you can first try with using IKEv1-based tunnel config, and then once it works, you can try next with IKEv2 and narrow down the routing issues in ipsec tunnel

 

5. Additionally, once your tunnel is in place and you start sending traffic from 192.168.1.x to 10.x.x.x, can you do a packet-capture by tapping in between the RV260-wan and the ISP-Router?...

 

(192.168.1.x)----(1.1)vlanX[RV260]wan(192.168.0.2)----{do a packet-cap-here}------(0.1)[ISP-Router]nat--{internet}

 

 

 

The channel is established Ok.
Talking with the counterpart he need that we present ourself like a particular IP 10.202.105.31.
Reviewing the Zyxel part we have a routing rule that do SNAT and send packets over VTI.

I think we need to review the VPN with counterpart or change product.

A cisco product with this function which could be?


nagrajk1969
Spotlight
Spotlight

Hi

 

>>>Reviewing the Zyxel part we have a routing rule that do SNAT and send packets over VTI.
>>>I think we need to review the VPN with counterpart or change product.
Exactly, and thats what i doubted and the precise reason why i mentioned in my previous post at the outset that the RV-series router does not support "Routing-over-Ipsec (VTI) tunnels"

 
>>>A cisco product with this function which could be?

You could go in for products such as Cisco-ASA/Cisco-ISR/etc - just check whether they have support for VTI tunnels and/or Routing-over-IPsec tunnels.....

Note: These routers will also have the support for "Policy-based-Ipsec tunnels" too...so....

 

best wishes