cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1247
Views
0
Helpful
8
Replies

VPN access to other sites over site to site VPN.

ozgrunt
Level 1
Level 1

I have two sites running RV340 and RV345 routers.
I have VPN access running on both sites and site to site VPN between sites.
All works great however... I want to be able to VPN into site A then from the remote computer access site B.
When connected to the site A VPN I can ping all computers at site A but nothing at site B.
If I Remote Desktop into a Site A computer I have full access to Site B.
The same applies in reverse if I VPN into site B.


Is there a way to setup a route so the remote computer has access to site B via site A?

I have tried setting a route on the remote computer that points site B's IP range to the VPN IP. No go.


Thanks

2 Accepted Solutions

Accepted Solutions

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>I using LT2P over IPSec for Windows and Cisco IPSec for OSX clients.
>>>There are different IPSec profiles for Windows and OSX but they both use ip-pools in the 172.10.10.2 - 199 /24 range.

 

1. Ok Lets say that both the clients (l2tp-ipsec-windows and Cisco-Ipsec-OSx) are assigned ipaddresses from the summarized subnet 172.10.10.0/24 (or if you want to take it further you could also consider the subnet as 172.10.0.0/16)

 

>>For the site to site configs let's say:
>>>Site A uses: Site B ext IP: 104.98.41.70 Site B LAN 10.0.30.0/24
>>>Site B uses: Site A ext IP: 104.16.206.69 Site A LAN: 10.0.20.0/24

>>>What would I do in this case..?

2. Ok. So the below is what you need to configure on the routers in Site-A and Site-B

------------
On Site-A RV34X
----------------

Since both the Windows-L2TP/Ipsec and OSx-Cisco/IPsec clients are connecting to Site-A router

Step-1:

In GUI, under system management, go to IP-Groups and create 1 ipgroup as below (you may change the names when you configure), and add the subnets mentioned


a) Name: localgroup1

IP-Subnet1: 10.0.20.0/24
Ip-Subnet2: 172.10.10.0/24


- Apply and do a permanent save too


Step-2:

a) Under VPN/Site-to-Site, edit the existing tunnel config and configure as below:

Local-IP-Type: IPGroup
- select "localgrup1"

Remote-IP-Type: Subnet
- apply the subnet:
10.0.30.0
255.255.255.0


b) Apply and do a permanent save too

 

------------
On Site-B RV34X
----------------

- Since both the Windows-L2TP/Ipsec and OSx-Cisco/IPsec clients are connecting to Site-A router

Step-1:

In GUI, under system management, go to IP-Groups and create 1 ipgroup as below (you may change the names when you configure), and add the subnets mentioned


a) Name: remotegroup1

IP-Subnet1: 10.0.20.0/24
Ip-Subnet2: 172.10.10.0/24


- Apply and do a permanent save too


Step-2:

a) Under VPN/Site-to-Site, edit the existing tunnel config and configure as below:


Local-IP-Type: Subnet
- apply the subnet:
10.0.30.0
255.255.255.0

Remote-IP-Type: IPGroup
- select "remotegrup1"


b) Apply and do a permanent save too

 

Check out the attached screenshots for the config samples

 

 

View solution in original post

nagrajk1969
Spotlight
Spotlight

>>>It seems to have trouble actually talking to them (https) though.
>>>When I try to get to the remote server's web interface it connects but stalls and nothing loads.

Yes i forgot to mention issue. sorry. Presently it is a bug and i think Cisco is maybe already working on a fix that "may" be available in later firmware releases.

 

1. If you observe it, this stall of TCP/UDP connections is happening only with L2TP-wIPsec clients (only Ping works for now)

2. BUT there is NO such issue with pure IPsec clients - such as the Cisco-IPsec clients. They will not be having any such stall issues

3. This is a bug on the RV34X and NOT in the L2TP-Ipsec clients

 

- you will have to live with this problem with L2TP-wIPsec tunnels till there is a fix.

- Alternatively you can try installing the free Shrewsoft-Clients on the Windows hosts and configure and establish pure IPsec Tunnels. Then you will not have the issues. Ofcourse please note Shrewsoft clients only connect to IKEv1 VPN servers (the Client-to-Site servers in RV34X).

 

best regards

 

View solution in original post

8 Replies 8

nagrajk1969
Spotlight
Spotlight

Hi

 

It is definitely possible without needing to add any static-routes becos static-routes cannot help in policy-based ipsec tunnels

 

In your case, to provide the correct solution, can you please post your answers for below query

 

1. What VPN tunnel type have you configured for Remote-Client to Site-A-Router? What is the ip-pool configured for assigning the virtual-ipaddresses to the remote-vpn-clients?

2. What is the subnets configured for the s2s ipsec tunnel between Site-A and Site-B?

 

thanks

 

ozgrunt
Level 1
Level 1

Hi, thanks for answering.
I am not about to give out real IP info over a public forum so the following are all made-up IP addresses.

I using LT2P over IPSec for Windows  and Cisco IPSec for OSX clients.
There are different IPSec profiles for Windows and OSX but they both use ip-pools in the 172.10.10.2 - 199 /24  range.

For the site to site configs let's say:
Site A uses:  Site B ext IP: 104.98.41.70    Site B LAN  10.0.30.0/24
Site B uses:  Site A ext IP:  104.16.206.69    Site A LAN:   10.0.20.0/24

What would I do in this case..?
Cheers
Grant


 

 

Grant

Thanks for the additional information. I suspect that the issue is that in the configuration of site to site you have specified the LAN subnets as interesting traffic to be carried over vpn but have not specified the address pools for vpn clients. If you add the subnet for the client address pool to the definition of interesting traffic it should provide the access you want.

HTH

Rick

ozgrunt
Level 1
Level 1

That makes sense but the RV300 series has no where in the GUI that I can see for that sort of information.
There is no command line interface on the RV300's
You can set the "Local Traffic Selection' to 'Any' ( 0.0.0.0/0 ) but I tried and it didn't seem to do anything.

nagrajk1969
Spotlight
Spotlight

Hi

 

>>>I using LT2P over IPSec for Windows and Cisco IPSec for OSX clients.
>>>There are different IPSec profiles for Windows and OSX but they both use ip-pools in the 172.10.10.2 - 199 /24 range.

 

1. Ok Lets say that both the clients (l2tp-ipsec-windows and Cisco-Ipsec-OSx) are assigned ipaddresses from the summarized subnet 172.10.10.0/24 (or if you want to take it further you could also consider the subnet as 172.10.0.0/16)

 

>>For the site to site configs let's say:
>>>Site A uses: Site B ext IP: 104.98.41.70 Site B LAN 10.0.30.0/24
>>>Site B uses: Site A ext IP: 104.16.206.69 Site A LAN: 10.0.20.0/24

>>>What would I do in this case..?

2. Ok. So the below is what you need to configure on the routers in Site-A and Site-B

------------
On Site-A RV34X
----------------

Since both the Windows-L2TP/Ipsec and OSx-Cisco/IPsec clients are connecting to Site-A router

Step-1:

In GUI, under system management, go to IP-Groups and create 1 ipgroup as below (you may change the names when you configure), and add the subnets mentioned


a) Name: localgroup1

IP-Subnet1: 10.0.20.0/24
Ip-Subnet2: 172.10.10.0/24


- Apply and do a permanent save too


Step-2:

a) Under VPN/Site-to-Site, edit the existing tunnel config and configure as below:

Local-IP-Type: IPGroup
- select "localgrup1"

Remote-IP-Type: Subnet
- apply the subnet:
10.0.30.0
255.255.255.0


b) Apply and do a permanent save too

 

------------
On Site-B RV34X
----------------

- Since both the Windows-L2TP/Ipsec and OSx-Cisco/IPsec clients are connecting to Site-A router

Step-1:

In GUI, under system management, go to IP-Groups and create 1 ipgroup as below (you may change the names when you configure), and add the subnets mentioned


a) Name: remotegroup1

IP-Subnet1: 10.0.20.0/24
Ip-Subnet2: 172.10.10.0/24


- Apply and do a permanent save too


Step-2:

a) Under VPN/Site-to-Site, edit the existing tunnel config and configure as below:


Local-IP-Type: Subnet
- apply the subnet:
10.0.30.0
255.255.255.0

Remote-IP-Type: IPGroup
- select "remotegrup1"


b) Apply and do a permanent save too

 

Check out the attached screenshots for the config samples

 

 

ozgrunt
Level 1
Level 1

Aaah.. I get it.  IP Group allows for mutliple subnets or IPs to be defined.
Thanks.
That appears to work. I can ping the remote (Site B) machines well VPN'd into Site A.
It seems to have trouble actually talking to them (https) though.
When I try to get to the remote server's web interface it connects but stalls and nothing loads.

I'll check everything later. Busy on another job this morning.
Thanks again.

nagrajk1969
Spotlight
Spotlight

>>>It seems to have trouble actually talking to them (https) though.
>>>When I try to get to the remote server's web interface it connects but stalls and nothing loads.

Yes i forgot to mention issue. sorry. Presently it is a bug and i think Cisco is maybe already working on a fix that "may" be available in later firmware releases.

 

1. If you observe it, this stall of TCP/UDP connections is happening only with L2TP-wIPsec clients (only Ping works for now)

2. BUT there is NO such issue with pure IPsec clients - such as the Cisco-IPsec clients. They will not be having any such stall issues

3. This is a bug on the RV34X and NOT in the L2TP-Ipsec clients

 

- you will have to live with this problem with L2TP-wIPsec tunnels till there is a fix.

- Alternatively you can try installing the free Shrewsoft-Clients on the Windows hosts and configure and establish pure IPsec Tunnels. Then you will not have the issues. Ofcourse please note Shrewsoft clients only connect to IKEv1 VPN servers (the Client-to-Site servers in RV34X).

 

best regards

 

Ah ha!  yes. Everything works perfectly on the Macs with OSX as they are connecting using Cisco-IPsec.
Luckily I work in VFX so most people are on Macs except for the 3D and UnReal peoples.
They tend to RDP or Parsec into the more powerful machines in the office anyway.

Thanks for all your help.

 

 

Review Cisco Networking for a $25 gift card