08-01-2019 02:00 PM
Hello Cisco community,
I'm trying to set up a gateway to gateway VPN and I'm having some trouble. One RV082 is connected directly to a cable modem. The other end uses FiOS and is connected to their gateway. I've forwarded the following ports in the Verizon router (I know I have more than needed, so once it's working I will delete forwards that are not needed): UDP 1701, TCP/UDP 500, TCP/UDP 4500, TCP/UDP 1723, UDP 1194. Both sides have static IP addresses, however the RV082 on the Verizon FiOS side has a private IP address (not sure if this is my problem). In the configuration, the remote group IP address on both sides have the WAN IP address of the other side. I can't figure out how to find the logs so I can see what is happening (or not happening). When I click on the system logs and select VPN logs, there are no entries.
I've set up a VPN before, but that was using Windows server as the VPN server. I've never set up a gateway to gateway VPN before. Any help is greatly appreciated.
I'm sure there is more information you need to help me. Let me know what else is needed and I'll post it.
08-01-2019 06:24 PM
The easy part of the question is about what ports are needed. You would need UDP 500 and probably 4500 for the VPN to work. I am not clear about your comment that you are forwarding those ports. In general for VPN those ports are not forwarded but must be allowed incoming to the VPN device.
The issue may very well be the private address used on one side. That suggests that the device may learn its IP using DHCP or some similar negotiation. The solution for this is typically for the other side to have a dynamic crypto map setting the peer address to 0.0.0.0. This allows the side with the dynamic address to initiate the VPN and for the other device to dynamically learn the address of its peer device. Not sure how to do this on your platform.
HTH
Rick
08-02-2019 04:50 AM
Rick,
Thank you for the info. I wasn't aware there was a difference between port forwarding and allowing ports to the incoming device. On some other devices, I've seen references to "VPN passthrough", but I never stopped to think about it. My device does not have that option.
The RV082 that is behind the Verizon router does indeed receive a class 3 DHCP address from the Verizon router.
I'm not familiar with a dynamic crypto map setting. Would that be a setting in the RV082? There is no other device other than the PC I'm using to configure the settings on the RV082.
I've attached a diagram. Perhaps this will help.
08-02-2019 05:42 AM
Thank you for the diagram. My comment about dynamic crypto map was based on configuration of other Cisco IOS routers. The RV082 is different and you configure parameters but do not actually configure the crypto map (the RV082 apparently creates the crypto map using the parameters you specify) Here is a link to some documentation from Cisco about doing VPN on RV082. It discusses some options for configuring when one of the router addresses is dynamic. I hope you find it helpful.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide