cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
620
Views
0
Helpful
6
Replies
sraich
Beginner

site-to-site VPN on RV160 identical to ASA 5506-X configuration

Hello,

 

I have an ASA 5506-X on which I have configured 3 different VPN tunnels to distincts peers (also 5506-X or similar). All tunnels are coming up alright, configurations are fine.

I'm trying to replace my ASA with a RV160 and configure the same VPN tunnels (I eventually want to put that RV160 in a different location, so I first want to ensure the configuration is OK and tunnels are coming up OK).

 

Configurations can not be simply copied: The ASA has CLI / IOS, the RV does not, so I've had to navigate the RV's web interface and try to identify as much as possible the correct way to configure it.

 

problem: tunnels not coming up.

 

the RV is quite frustrating, as it's hard to get any kind of meaningful log, so I can hardly learn what is going on. The IPSec profile part seems to be OK (pretty straightforward to configure), so I'm rather thinking the issue is with the topology & the corresponding routing & NAT-ing.

 

The RV is behind a router (router1), itself connected to a modem, so NAT-T is necessary (and configured as such on the ASA). The other end is NOT behind a router.

I've properly configured port forwarding on router1 for UDP ports 500 and 4500 (pointing to the RV, not the ASA, during the test setup).

 

here are the interesting parts of the ASA config. I would appreciate if anyone could have a look at the config and point me to the right direction so I can try things out. Happy to experiment. I'll focus on just one tunnel.

 

the main questions would be:

- is it necessary to configure the ACL on the RV ? the rule on the RV at this moment seems to be allow any.

- where and how to properly configure the 2 lines related to NAT ?

- how to test / log / debug VPN connection from the RV ?

 

 

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.68.100 255.255.255.0

interface BVI1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0

object network siteA_NW
 subnet 10.10.10.0 255.255.255.0
object network siteB_NW
 subnet 192.168.10.0 255.255.255.0

access-list cryptomap_1 extended permit ip object siteA_NW object siteB_NW

nat (inside_1,outside) source static any any destination static siteB_NW siteB_NW no-proxy-arp route-lookup
nat (inside_1,outside) source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.68.1 1

crypto map outside_map 2 match address cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer xxx.xxx.xxx.xxx
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA AES128-SHA AES192-SHA AES256-SHA

crypto map outside_map interface outside

group-policy GroupPolicy_1 internal
group-policy GroupPolicy_1 attributes
 vpn-tunnel-protocol ikev1

dynamic-access-policy-record DfltAccessPolicy

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
 default-group-policy GroupPolicy_1
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****

 

xxx.xxx.xxx.xxx is my VPN peer - it's pingable by both the ASA (obviously) and the RV too.

10.10.10.0/24 is my local network

192.168.68.0/24 is the network between the ASA/RV and router1

192.168.10.0/24 is the remote network

 

Thanks for any kind of input.

 

Sebastien

6 REPLIES 6
Georg Pauwen
VIP Expert

Hello,

 

there is not a whole lot of documentation out there with regard to setting this up, you might want to have a look at the link below...

 

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb4936-configuring-a-site-to-site-vpn-tunnel-between-rv-series-rout.html

Hey, thanks for the link, although it's not too helpful, it just describes the usual steps to setting up a site-to-site VPN. I've done all this already, but it's not working.

 

Again, the topology described is not exactly what I'm dealing with, and, as explained, I think this is why there's an issue (NAT-T, routing, etc)

Hello,

 

the NAT statement on the ASA does not look right. Where is the interface named 'inside_1' ? I only see 'inside'.

 

Either way, change the NAT statement to:

 

nat (inside,outside) source static siteA_NW siteA_NW destination static siteB_NW siteB_NW

inside_1 corresponds to port 1 only, I removed those parts of the config because it's not relevant to this specific issue.

again, the ASA configuration is OK, my issue is not with the ASA, but with the RV.

I'd like to get the RV to behave like the ASA - at least to bring the tunnels up like the ASA does.

Hello,

 

there must be a mismatch in one of the parameters exchanged between the ASA and the RV160. Try something like the below on the ASA and match that on the RV160:

 

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac

 

Also, on the ASA, what is the output of:

 

show crypto isakmp sa

 

--> inside_1 corresponds to port 1 only, I removed those parts of the config because it's not relevant to this specific issue.

 

Not really sure what you mean by that: do you have a NAT statement for the inside interface and the two obects ?

I've tried all possible parameters, including the one suggested, to no avail.

I have a "good" config (one that works) on the remote 5506X, with 3DES / MD5, group 2, no pfs.

I applied exactly the same config on the "new" remote RV160, but no success.

 

I have access to the logs on the initiator (5506X) and the RV:

5506X stops at MM_WAIT_MSG6, so at least it shows both boxes are talking to each other, and that message could indicate a PSK mismatch. I checked, and changed the PSK several times, no success

the RV160 logs tell me "found 1 matching config but none allows pre-shared key authentication using main mode"

 

This is driving me crazy. any idea ?

RV160 is supposed to be able to connect to a 5506X, right ?