Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
2
Replies

Trouble with Site to Site IPSec VPN Tunnel

ThomtheBomb!
Level 1
Level 1

‎07-14-2021 06:17 AM

I am trying to setup a site to site IPSec VPN tunnel using two Cisco RV340 routers. I have followed the instructions in this link from Cisco: Configure a Site-to-Site Virtual Private Network (VPN) Connection on an RV340 or RV345 Router - Cisco, but their documentation doesn't include any details about how to create the firewall exceptions for this connection and I cannot get the tunnel to work. I have IKEv1 profiles with the strongest encryption available set on both routers identically, and following all other steps in the documentation to the letter. I am using the public IP addresses for the remote and local identifiers (swapping them appropriately for the alternating config) and then using local subnets defined for each respective location. Example local subnets would be 192.168.1.1/24 on one side and 10.0.0.1/27 on the other side. I would like the 192 subnet to access one IP address in the 10. subnet, for example 10.0.0.2. I believe the issue in my config is the firewall rules. I opened IP ports 50/51 bi-directionally on both routers as well as port 500 on both routers. I have no forwarding enabled. I must be missing something though because the tunnel does not work at all. Any help or guidance would be greatly appreciated. 

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎07-14-2021 09:44 AM

if both the side same Model of the router, and first i would suggest to check below :

 

1. are the WAN IP address each other reachable ?

2. the IPsec VPN settings should be same.

3. what is the Logs show ?

 

check the status :

 

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5498-view-the-virtual-private-network-vpn-status-on-an-rv340-or-r.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

nagrajk1969
Spotlight
Spotlight

‎07-23-2021 06:47 PM

Hi

 

1. First and foremost request for you:

 

Note: and i know this very very well indeed becos i have the RV340/RV345/RV260 routers in my network and with vpn tunnels working on them. so kindly believe you me

 

a) kindly please do not manually add any firewall acl rules for ipsec/esp/ike protocols. THESE ARE NOT REQUIRED AND MUST NOT BE ADDED MANUALLY BY THE USER. 

 

- When you configure S2S tunnels (or C2S tunnels or other tunnels such as L2TP-wIPsec/PPTP/SSLVPN) the relevant and all the required firewall-acl rules are automatically added by the system in background.

 

b) So DO NOT ADD ANY NEW MANUAL ACL RULES...DELETE IF YOU HAVE ADDED IMMEDIATELY

 

2. Now can please explain with a small schematic or drawing as to how you have connected (in the wan side) the 2 RV340s in your network deployment. My query is to primarily ascertain whether one of the RV340 OR both are connected behind a NAT-router.

- meaning is the wan-ipaddr configured on one or both RV340s NATed by the ISP-router connected to internet

- this is to confirm whether the IKEv1/IPsec tunnel will be using NAT-T?

 

lansubnet1(192.168.1.0/24)----lan[RV340-GW1]wan----[isp-rtr]---internet--[isp-rtr]----wan[RV340-GW2]lan---(10.0.0.0/27)lansubnet2

 

3. Now you mentioned in your statement the below info:

>>>> Example local subnets would be 192.168.1.1/24 on one side and 10.0.0.1/27 on the other side.

- If i assume that the above are the exact values you have used for the local-subnet and remote-subnet (and reversed on other peer-GW). Then i will also assume that you have configured as in above sample setup and:

a) for vlan1 interface on GW1 you must have confgured the lan ipaddr 192.168.1.1/24

b) and for vlan1 on GW2, you must have configured the ipaddr 10.0.0.1/27

 - Then if above is true, and assuming for now here that all other configs are correct, you should change the subnets mentioned in the vpn tunnel configurations

On GW1:

local-subnet should be 192.168.1.0/24 (instead of the single ipaddr of GW1 192.168.1.1/24)

Remote-subnet should be 10.0.0.0/27 (instead of single ipaddr of GW2 10.0.0.1/27)

 

On GW2:

local-subnet should be 10.0.0.0/27 (instead of the single ipaddr of GW2 10.0.0.1/27)

Remote-subnet should be 192.168.1.0/24 (instead of single ipaddr of GW1 192.168.1.1/24)

 

 

4. The issue could be also happening due to NAT-T - if one or both of the RV340 wan interface ipaddr is NATed by the ISP. If its yes, then using the ipaddresses of the wan interfaces in the Local-ID/Remote-IDs is a problem with NAT-T tunnel establishment. 

 

 

Best regards

Nagraj

 

 

0 Helpful
Customers Also Viewed These Support Documents