cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4191
Views
0
Helpful
29
Replies

RV320 Issue Routing Between VPNs

Taylor Vick
Level 1
Level 1

Hello All,

I have three RV320 routers connected via gateway to gateway VPNs as follows:

 

Router A > Router B < Router C

 

Such that routers A and C connect to router B. All works fine as far as the VPN connections go except that clients from router A cannot get to router C and vice versa. Clients on router B can talk to both remote boxes without issue.

I've tried adding manual routing table entries in A and C but cannot seem to get them to work. I also enabled RIPv2 and was hoping the boxes would all broadcast their routes to one another but that doesn't work either. 

 

Anybody have any of the same issues or any suggestions?

29 Replies 29

yohanesbw
Level 1
Level 1

Hi,

 

what type of VPN did you referring too,

and would you able to share the config to analyze it

I'm not sure what you mean by what type of VPN other than it is a router to router VPN.

Each is configured using the following encryption settings:

 

Phase 1 -

Group 2 - 1024 bit

DES Encryption

SHA1 Authentication

SA Lifetime 28800

 

Phase 2 -

Group 2 - 1024 bit

DES Encryption

SHA1 Authentication

SA Lifetime 3600

Perfect Forward Secrecy is selected

 

All routers have static IP addresses. 

Local group setup as follows:

Router A: 10.85.0.0/16

Router B: 10.33.0.0/16

Router C: 10.11.0.0/16

The only advanced setting selected is "Keep Alive"

 

So right now clients on 10.33.0.0/16 can ping 10.85.0.0/16 and 10.11.0.0/16. Clients on subnet 10.85.0.0/16 can ping 10.33.0.0/16 but not 10.11.0.0/16 and vice versa.

The VPN connections between routers all connect just fine. It's more a matter of getting the routing tables to update so the traffic can pass across them.

Thanks

If I understand correctly, you are trying to set up a hub-and-spoke network, i.e. B as "hub" and A/C as "spoke", spokes can access each other (directly or through hub). Currently RV320 does not support this kind of setup.

 

Hello Taylor Vick,

Sorry you are experiencing this issue but as Li Zhang said it is currently not supported for a hub-and-spoke network.  However you can configure a Mesh network where you have a Gateway to Gateway tunnel configured to each router.  If A and C are the spoke then you will need to configure a Gateway to Gateway tunnel between those two routers.

Hope this helps,

 

Michael D.

If this post is helpful please rate or mark as correct.

There is no way to configure the routing tables manually to get this to work? RIP cannot be used to distribute the routing tables? I don't understand why this wouldn't work.

RIP uses multicast or broadcast, which is not supported by native IPsec VPN. To carry multicast traffic over IPsec VPN tunnel requires something like GRE over IPsec, unfortunately RV320 does not support it.

 

Why can't I add manual routing entries to make this work? I can't seem to get that to work no matter what I try.

RV320 tunnels traffic based on the interesting traffic (local/remote network) of the VPN policy, instead of the static routes.

P.S. What static routes did you add?

 

I added this route:

Destination: 10.11.0.0

Mask: 255.255.0.0

Gateway: [public IP of router]

Hop Count: 5

Interface: WAN1 (eth1)

It's added to Router A, right? With it Router A will route the traffic destined to 10.11.0.0/16 out of WAN1 instead of encapsulating it in the tunnel.

 

In case you are still following this thread.
I am wondering if this is still the case.
I have a similar setup I am trying to do....

We purchased a RV320, so our workers can VPN into the RV320
I have the RV320 connected to two PIX 515e's

I want my remote users to be able to access resources behind the two 515e's.
Right now, I have things set up where servers that are on the LAN attached to the RV320 can access resources behind the 515e's.....
Now I need for my remote users to be able to do the same thing.

Li Zhang
Cisco Employee
Cisco Employee

Is that Gateway-to-Gateway VPN tunnel between your RV320 and PIX 515E, and Client-to-Gateway VPN tunnel between the remote user and RV320? If so, the remote user can access the resources behind PIX515E, as long as the G2G tunnel between RV320 and PIX515E has the Local Network set to the address pool of the C2G VPN.

Yes you are correct.
The RV320 and two PIX 515Es are Gateway to Gateway
The clients are doing individual tunnels.

But you are saying the network has to be all the same LAN?
Hmm....

I have 3 networks behind one PIX
10.75.x.x/16, 10.76.x.x/16 and 10.77.x.x/16
Behind the other PIX

10.10.0.0/24

On the RV320 the LAN hanging off of it is
10.78.x.x/16

Li Zhang
Cisco Employee
Cisco Employee

To access PIX subnet 10.75.x.x/16 from RV320 subnet 10.78.x.x/16, you must have a G2G tunnel configured on RV320 as:

Local Network: 10.78.x.x/16

Remote Network: 10.75.x.x/16

Is it correct?

Then suppose the remote clients get virtual address 192.168.200.x/24 (depending on how you configured the VPN server address pool on RV320), to enable access between 192.168.200.x/24 and 10.75.x.x/16, you will need to create a new G2G tunnel with:

Local Network: 192.168.200.x/24

Remote Network: 10.75.x.x/16

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: