08-13-2015 07:20 PM
I am trying to create a Gateway-to-Gateway VPN tunnel and failing at all turns. I could really use some help. I posted to this forum a couple of weeks ago looking for directions for configuring an RV180 to an RV180. I discovered the RV180 was discontinued but the RV320 was available and the forum said that this was a good substitute for the RV180 and should work fine connecting to the RV180.
The RV320 VPN configuration is very different than the RV180. The RV320 has IKE Phase 2 but I do not see that on the RV180, only Phase 1. The 'Remote Identifier' on the RV180 allows for FQDN only but on the RV320 I can't select just FQDN. The closest to my senario would be 'Dynamic IP + FQDN'
I am trying to connect an RV320 (remote) to an RV180 (local). The RV180 has a static WAN IP adress. The RV320 has a dynamic address. Here is what I have:
RV180 (local, static IP 66.xxx.xxx.xxx)
Policy name: PLGB
Direction / Type: Responder
Exchange mode: Main
IKE Policy
Local
Identifier type: Local WAN (Internet IP)
Identifier: 66.xxx.xxx.xxx
Remote
Identifier type: FQDN
Identifier: remote.com
IKE SA Parameters
Encryption algorithm: AES-128
Authentication algorithm: SHA-1
Authentication method: Preshared key
Preshared key: 0123456789
Diffie-Hellman (DH) Group: Group 2 (1024)
SA liketime: 3600 sec
Dead peer detection: enabled
Reconnect after failure count: 3
Extended Authentication
XAUTH type: none
VPN Policy
Policy name: PLGB
Policy type: auto policy
Remote endpoint: FQDN
Domain name: remote.com
NetBIOS: enabled
Local traffic selection
Local IP: subnet
Start: 192.168.0.0
Subnet: 255.255.255.0
Remote traffic selection
Local IP: subnet
Start: 192.168.1.0
subnet: 255.255.255.0
Auto Policy Parameters
SA-Lifetime: 3600 sec
Encryption algorithym: AES-128
Integrity algorithym: SHA-1
PFS key group: enabled
DH-Group 2 (1024)
Selected IKE policy: PLGB
RV320 (remote, dynamic IP)
Gateway-to-Gateway
Tunnel name: PLGB
Interface: WAN1
Key mode: IKE with preshared key (enabled)
Local Group Setup
Local security gateway type: Dynamic IP + FQDN Auth (no FQDN only)
Domain name: remote.com
Local security group type: IP
IP address: 192.168.1.0
Subnet: 255.255.255.0
Remote Group Setup
Remote security gateway type: IP only
IP address: 66.xxx.xxx.xxx
Remote security group type: subnet
IP address: 192.168.0.0
Subnet: 255.255.255.0
IPSEC Setup
Phase 1 DH group: Group 2 (1024)
Phase 1 encryption: AES-128
Phase 1 authentication: SHA-1
Phase 1 SA lifetime: 3600
Phase 2 DH group: Group 2 (1024)
Phase 2 encryption: AES-128
Phase 2 authentication: SHA-1 (this Phase 2 does not appear to exist on the RV180)
Phase 2 SA lifetime: 3600
Preshared key: 0123456789
When I try to connect it fails. The VPN status indicates waiting for connection.
Help
Thanks in advance for any help
08-14-2015 04:42 AM
Update:
There does not appear to be a provision for a dynamic IP for the remote on the RV180. I used FQDN and put in xxxx.dyndns.org
On the RV320 there is no FQDN selection only, it is Dynamic IP + FQDN. I'm getting lost :-)
08-14-2015 06:11 AM
your authentication and encryption looks ok they need to match each side but so does everything else for a vpn to come up, known issue with rv180s as well they do not handle sha1 well use md5 instead
Router needs to be set as gateway option for vpn on rv180 and gateway to gateway in rv320
Can you do it by ip address instead of fqdn its easier to establish the connection between the 2 routers, on the rv320 there should be an option for ip only under local and remote group setup
I assume the connectivity from router a-b is working fine without any issues as this needs to be up and stable for vpn to form correctly
The fact you only bought this and its small business you should have direct support while its under warranty or service contract with Cisco as well
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
08-14-2015 06:23 AM
Mark, thank you for your reply. Just to confirm with you, the remote router is the RV320. There is a selection for IP only but I do not have a static IP at the remote side. However, I do have a dyndns address that I have not been able to get working.
In the local side (RV180) there is only an option for 'IP Address' or FQDN when configuring the remote parameters. Since the remote does not have a static IP, I selected FQDN and put in xxx.dyndns.org for the domain.
On the remote side (RV320), there are several options besides IP Address when configuring the local parametes. The selection that seemed most obvious to me was Dynamic IP + FQDN so I selected that and once again used xxx.dyndns.org.
In my test environment the RV320 is connected to a cable modem that is in router mode so the Cisco sees a non-routeable WAN address 192.168.2.214 it is pulling from the cable modem.
I am going to reconfigure the cable to bridge mode and try again.
Thanks
08-14-2015 06:38 AM
The public ip must be on the cisco routers for the vpn to terminate correctly so if you have something in front of them as you said bridge it
all my 800 series routers would be setup that way that have an ISP modem in front of them.
I have never setup a vpn using this FQDN so I cant really give any advice on it, I have always used ip -ip , you should really have a static for vpn but in saying that these days ISPs don't usually change the dynamic address so I would still try to use ip if possible
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide