cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

533
Views
0
Helpful
6
Replies
Rustin B
Beginner

RV340 setup using static IP with Centurylink CBRAS

I have CenturyLink gigabit fiber at my business and have requested and received a static IP address for site-to-site VPN use.

 

I am using a Cisco RV340 router and it has been working perfectly with dynamic IP. I don't use any sort of Centurylink provided router.  The RV340 is left in DHCP mode and is wired directly to the fiber ONT.

 

The odd thing about static IPs with Centurylink (at least in my area) is that they use a system called CBRAS for IP assignment.

 

You don't just set the router to static and enter the static IP information, it will never work. You still have a public dynamic IP but your static IP address is pushed to it.  Somehow CBRAS interfaces with the Centurylink fiber ONT to do this.

 

You basically leave your router on DHCP and then use "LAN subnetting" to make the static IP actually work with the router.

 

However, I don't know how to make all this work. Centurylink tech support is not helpful. I have reached out to a local IT company but they are clueless as well.

 

Going from a CBRAS thread on these forums from a couple years ago, I setup a specific VLAN with the static IP information provided by Centurylink but I still am unable to establish the VPN connection.   

1 ACCEPTED SOLUTION

Accepted Solutions
nagrajk1969
Enthusiast

Hi

 

I believe this kind of Static-IP address from this ISP is not much of use for you with the RV340. You should go in for a similar public-static-ipaddress as assigned to RV160

 

Anyways as far as VPN tunnel is concerned in your present deployment

 

The deployment will be mostly as below:

 

(192.168.1.x)---1.1(vlan1)[RV340[]wan/dhcp(ex:20.20.20.2)--[ont]---[cbras-server]--{internet}--wan[RV160]-(192.168.2.x)

 

- Create a vlan2 interface on RV340 and assign the allotted static-ipaddress: x.x.x.206/30. We will assume that its 60.60.60.206/30 for example sake

 

- we will assume for example that the dynamic-public-ipaddr assigned thru dhcp to wan1 interface is 20.20.20.2

 

- we will assume for example that the static-wan-ipaddr of RV160-peergw is 30.30.30.101/24

- Also you may later need to disable NAT ON THE WAN1 INTERFACE IN FIREWALL/NAT GUI SECTION

-------------------------------------------------------------------------------------

 

>>>I can only establish the tunnel from the CBRAS site to the RV160 site since it is static. 

Yes this is correct.

 

Basically, the CBRAS policy/rules is that:

 

a) for any traffic that is outbound to internet with src-ipaddr 20.20.20.2, it will be translated to 60.60.60.205 before being routed out to the destination on the internet

AND

 

b) For any traffic that is outbound to the Internet, with the src-ipaddr 60.60.60.205, and not the dynamic-public-ipadd on wan interface) and recieved via the ont, the packets are routed as is to the destination on internet...there is no need to change the src-ipaddr

 

c) From any internet hosts, packets with destination-ipaddr of dynamic-public-ip 20.20.20.2 are forwarded upto the RV340-wan interface...and further processed on RV340 itself as it owns the ipaddress

 

d) From any internet hosts, packets with static-ipaddr of 60.60.60.205 are forwarded upto the RV340-wan interface.. and from there you will need to add some permit ACL rules to forward them to vlan2 interface on which there maybe a server connected with the ipaddr 60.60.60.205 (and default-gw ip 60.60.60.206 which will be the vlan2 ipaddr on RV340)

 

 

So as i had mentioned in my previous post, the above points are as per my own understanding (which may not be correct) of the working of the CBRAS

 

- when you configure a S2S vpn tunnel on RV340, it will be binded to the wan interface ipaddr of 20.20.20.2 (and NOT 60.60.60.205) which is the dynamic-public-ipaddr...and therefore you are able to "Initiate and connect a vpn tunnel from RV160 only to this IPaddr" which is correct becos the vpn-service is listening only on the default-route interface or the wan-interface AND there is NO interface  that will be configured on RV340 with the ipaddr 60.60.60.205 (the allotted static-ipaddr)

 

- But when you initiate the vpn tunnel connection from RV340, the outbound src-ipaddr of the vpn tunnel packet will be 20.20.20.2, which will then be translated to 60.60.60.205 and sent to RV160 (whose tunnel destination ipaddr would be 30.30.30.101)

 

- therefore due to this translation by CBRAS this ipsec tunnel will invariably be using NAT-T (NAT-Traversal; udp-4500 encapsulated ESP packets), AND the RV340 will always HAVE TO BE THE INITIATOR OF THE VPN TUNNEL...BECOS THE TUNNEL IS ORIGINATING FROM RV340 (with the ipaddr 20.20.20.2)

 

 

 

>>>I want to be able to initiate the connection from >>>either site.

- No you cannot, unless you have another RV340 connected to this RV340 in the vlan2 interface and the ipaddress of 60.60.60.205 is assigned to the wan interface of the second RV340-gw AND THE S2S TUNNEL TO RV160 IS CONFIGURED ON IT.

 

With the present deployment, you can configure the s2s tunnel on RV340 with keepalive enabled so that the tunnel is always UP and therefore ONCE THE IPSEC TUNNEL IS UP/ACTIVE, YOU CAN ALWAYS INITIATE TRAFFIC FROM RV160 SIDE TO RV340 SIDE..IT WONT BE A PROBLEM...

 

Also on RV160, configure the S2S tunnel with "remote-endpoint" as "dynamic-ip

 

And on RV340, among other configurations of S2S tunnel ensure that you configure as below:

------------------------------------

Local-ID Type: FQDN

Local-Identifier: gateway1.test.local

 

Remote-ID Type: FQDN

Remote-Identifier: gateway2.test.local

-----------------------------

 

And on RV160, among other configurations of S2S tunnel ensure that you configure as below:

------------------------------------

Local-ID Type: FQDN

Local-Identifier: gateway2.test.local

 

Remote-ID Type: FQDN

Remote-Identifier: gateway1.test.local

-----------------------------

 

The above is required on both peers as NAT-T is present...

 

 

best wishes and thanks

 

 

 

View solution in original post

6 REPLIES 6
nagrajk1969
Enthusiast

If i understand correctly the behavior of BRAS/CBRAS..there is nothing to be configured on RV340 except as suggested to enable DHCP-client on the WAN interface that is connected to the FTTH-Modem/Ont

- the RV340 will be assigned the "Static-Public-IPaddress" via DHCP....and whether the DHCP-server will be on the ONT/Modem/FTTH-box OR the ONT/Modem will be bridged to forward the dhcp-client request from RV340-wan to a dhcp-server on the ISP-network....it will be the ISP-tech who will tell you

 

So any config that will result in the RV340-wan getting alloted the valid-public-internet-static-ipaddress will  need to be done on the cyberlink cpe-equipment ONLY

 

Since you are paying money for the static-ip, i suggest that you demand that the ISP should better configure their side of the equipment...else change the ISP to one who works for you and provides the service you paid for

 

 

nagrajk1969
Enthusiast

Hi

 

Thank you so much for the links...these were of tremendous help, especially the topic below:

 

>>>>"https://community.cisco.com/t5/small-business-routers/rv340-routing-wan-traffic-to-lan-public-ip/td-p/3884048"

1. This user in the topic/discussion above, is using the same service of "Static-IPs" from the CBRAS allotment method. But this user has one more router behind the RV340 to use the actual static-ipaddress for the lan-hosts to browse the internet/etc

 

2. Now in your case, the "Static-IPaddr" assigned to you will be lets say for example configured on the vlan1 interface AND the wan-interface will ofcourse gets its own public-ipaddr that is processed as required by the CBRAS gateway....and there are only lan-hosts connected to the lan-interface of your RV340, maybe not to vlan1, but on another internal vlan, say vlan2...

 

3. So in your deployment situation, if VPN tunnel has to be configured/established on the RV340, the local tunnel endpoint would be the "cbras-dhcp-assigned-public-ipaddr"....which will get translated by the CBRAS server/router to the actual "Static-IPaddress" assigned to you

 

4. So effectively if for example say

- you have been assigned a Static-IPaddr of "1.2.3.4" which you will say configure on the vlan1 interface of RV340

- and then with the dhcp-client enabled on wan1 interface of RV340, the CBRAS-dhcp-server will assign a ipaddress for example "5.6.7.8" - which is like a psuedo-public-ipaddress as far as the CBRAS server/router is concerned

 

5. Now on the RV340 if we configure a S2S tunnel, the tunnel-negotiation packets sent by the RV340 will be with src-ipaddr "5.6.7.8"...but on the remote vpn-peergw, it will be actually seen with the src-ipadd of "1.2.3.4".

- so this would result in the ipsec tunnel switching to NAT-T automatically becos this would make the RV340 look like behind a NAT-router

 

So with the present info that you have provided, i think we could configure the vpn tunnel as such and make it work....BUT could you provide the info as to what kind of router/gateway is the Remote VPN-IPsec-PeerGw?....is it another RV340?

 

- and are you planning to configure IKEv2-based vpn tunnel or IKEv1-based?

- And what are the Local-lan-subnets (behind this RV340) and the remote-lan-subnets (behind the remote vpn-peergw) that you want to protect by the ipsec tunnel?...are there multiple subnets or just 1 pair of subnet?

 

thanks

 

 

  

 

 

I have a Cisco RV160 at the other end of the tunnel at my home.  My home fiber connection has a traditional static IP with a different ISP which works perfectly with the RV160 static settings.  The RV160 uses its ISP assigned static IP without issue. 

 

I DO have a working site-to-site VPN tunnel using IKEv2 between sites but ONLY if have the home RV160 set to allow connection to the CBRAS site using the CBRAS site public dynamic IP.  I can only establish the tunnel from the CBRAS site to the RV160 site since it is static.  I want to be able to initiate the connection from either site.  

 

If I set the RV160 to connect to the CBRAS site RV340 using the CBRAS site static IP, the VPN tunnel never establishes.

 

 

RV340 site local network: 192.168.1.1 , 255.255.255.0 subnet

RV160 site local network: 192.168.2.1, 255.255.255.0 subnet

 

ISP provided information:

RV340 CBRAS site static IP: xx.xxx.xx.205

RV340 CBRAS site gateway: xx.xxx.xx.206

RV340 CBRAS site subnet: 255.255.255.252

 

nagrajk1969
Enthusiast

Hi

 

I believe this kind of Static-IP address from this ISP is not much of use for you with the RV340. You should go in for a similar public-static-ipaddress as assigned to RV160

 

Anyways as far as VPN tunnel is concerned in your present deployment

 

The deployment will be mostly as below:

 

(192.168.1.x)---1.1(vlan1)[RV340[]wan/dhcp(ex:20.20.20.2)--[ont]---[cbras-server]--{internet}--wan[RV160]-(192.168.2.x)

 

- Create a vlan2 interface on RV340 and assign the allotted static-ipaddress: x.x.x.206/30. We will assume that its 60.60.60.206/30 for example sake

 

- we will assume for example that the dynamic-public-ipaddr assigned thru dhcp to wan1 interface is 20.20.20.2

 

- we will assume for example that the static-wan-ipaddr of RV160-peergw is 30.30.30.101/24

- Also you may later need to disable NAT ON THE WAN1 INTERFACE IN FIREWALL/NAT GUI SECTION

-------------------------------------------------------------------------------------

 

>>>I can only establish the tunnel from the CBRAS site to the RV160 site since it is static. 

Yes this is correct.

 

Basically, the CBRAS policy/rules is that:

 

a) for any traffic that is outbound to internet with src-ipaddr 20.20.20.2, it will be translated to 60.60.60.205 before being routed out to the destination on the internet

AND

 

b) For any traffic that is outbound to the Internet, with the src-ipaddr 60.60.60.205, and not the dynamic-public-ipadd on wan interface) and recieved via the ont, the packets are routed as is to the destination on internet...there is no need to change the src-ipaddr

 

c) From any internet hosts, packets with destination-ipaddr of dynamic-public-ip 20.20.20.2 are forwarded upto the RV340-wan interface...and further processed on RV340 itself as it owns the ipaddress

 

d) From any internet hosts, packets with static-ipaddr of 60.60.60.205 are forwarded upto the RV340-wan interface.. and from there you will need to add some permit ACL rules to forward them to vlan2 interface on which there maybe a server connected with the ipaddr 60.60.60.205 (and default-gw ip 60.60.60.206 which will be the vlan2 ipaddr on RV340)

 

 

So as i had mentioned in my previous post, the above points are as per my own understanding (which may not be correct) of the working of the CBRAS

 

- when you configure a S2S vpn tunnel on RV340, it will be binded to the wan interface ipaddr of 20.20.20.2 (and NOT 60.60.60.205) which is the dynamic-public-ipaddr...and therefore you are able to "Initiate and connect a vpn tunnel from RV160 only to this IPaddr" which is correct becos the vpn-service is listening only on the default-route interface or the wan-interface AND there is NO interface  that will be configured on RV340 with the ipaddr 60.60.60.205 (the allotted static-ipaddr)

 

- But when you initiate the vpn tunnel connection from RV340, the outbound src-ipaddr of the vpn tunnel packet will be 20.20.20.2, which will then be translated to 60.60.60.205 and sent to RV160 (whose tunnel destination ipaddr would be 30.30.30.101)

 

- therefore due to this translation by CBRAS this ipsec tunnel will invariably be using NAT-T (NAT-Traversal; udp-4500 encapsulated ESP packets), AND the RV340 will always HAVE TO BE THE INITIATOR OF THE VPN TUNNEL...BECOS THE TUNNEL IS ORIGINATING FROM RV340 (with the ipaddr 20.20.20.2)

 

 

 

>>>I want to be able to initiate the connection from >>>either site.

- No you cannot, unless you have another RV340 connected to this RV340 in the vlan2 interface and the ipaddress of 60.60.60.205 is assigned to the wan interface of the second RV340-gw AND THE S2S TUNNEL TO RV160 IS CONFIGURED ON IT.

 

With the present deployment, you can configure the s2s tunnel on RV340 with keepalive enabled so that the tunnel is always UP and therefore ONCE THE IPSEC TUNNEL IS UP/ACTIVE, YOU CAN ALWAYS INITIATE TRAFFIC FROM RV160 SIDE TO RV340 SIDE..IT WONT BE A PROBLEM...

 

Also on RV160, configure the S2S tunnel with "remote-endpoint" as "dynamic-ip

 

And on RV340, among other configurations of S2S tunnel ensure that you configure as below:

------------------------------------

Local-ID Type: FQDN

Local-Identifier: gateway1.test.local

 

Remote-ID Type: FQDN

Remote-Identifier: gateway2.test.local

-----------------------------

 

And on RV160, among other configurations of S2S tunnel ensure that you configure as below:

------------------------------------

Local-ID Type: FQDN

Local-Identifier: gateway2.test.local

 

Remote-ID Type: FQDN

Remote-Identifier: gateway1.test.local

-----------------------------

 

The above is required on both peers as NAT-T is present...

 

 

best wishes and thanks

 

 

 

View solution in original post

Thank you for all the information, it is very helpful.