Re: RV340 - VPN Problem

JuergenM233 · ‎11-08-2019

We have to create a VPN Site to Site Connection on our RV340.

Our Local Net is 192.168.1.0/24

Our Serviceprovider uses the Net 192.168.100.0/24 but wants us to identify us under 192.168.183.0/24 for VPN Traffic

Can this be set up in the Router?

Static NAT did not help.

balaji.bandi · ‎11-08-2019

if the Service provider looking you're to send as a source of 192.168.183.0/24 then you need 192.168.1.0/24 NAT with suggestion pool IP address.

here is the static NAT :

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5461-configure-the-static-network-address-translation-nat-on-the.html

I have also read the nat not working..please show us what is wrong.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JuergenM233 · ‎11-11-2019

I'd need the Static NAT only for VPN Tunnel.

f.E. like this:

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

I think this is not a feature on the RV 340

nagrajk1969 · ‎05-11-2021

Hi JuergenM

What is needed in your deployment is "nat-before-ipsec"...This is possible to be done on Cisco RV260 series Router

- it has something called Policy-NAT which can be applied to translate the src-network 192.168.1.0 to 192.168.183.0 before the packets are forwarded onto the S2S tunnel

But as you said correctly it cannot be done on RV340 - atleast directly...BUT you can do the below if you REALLY want it to be done using RV340

You should configure a setup as below in the site where RV340 is (and nothing is required to done...well almost nothing on the remote-site)

l(an-subnet/192.168.1.0/24)----eth0[Linux-Router]eth1----(lan)[RV340]wan1----ipsec-tunnel---[RemotePeer]---------(192.168.100.0/24)

1. Move the lan-subnet 192.168.1.0/24 behind the Linux-Router as shown above, and change the lan-ipaddr of RV340 to 192.168.183.1/24

2. On the Linux-Router

a) Configure the ip adrress 192.168.1.1/24 on the eth0 interface of Linux-Router

b) Run dhcp-server on the eth0 interface and let it assign the ipaddress in the 192.168.1.0/24 network to the lan-hosts

c) Configure the ipaddress 192.168.183.254/24 with default-gw-ip 192.168.183.1 on the eth1 interface of Linux-Router

d) DO NOT ENABLE ANY NAT/MASQUERADE ON THIS LINUX-ROUTER ON ANY INTERFACE (on eth1 or eth0), Remove if any existing

e) Next apply the following iptables rules on this Linux-Router

Note: As you mentioned it will be for ONLY IPsec traffic to the remote-peer. The below rules do 1:1 nat for entire subnet, in each direction

iptables -t nat -I PREROUTING 1 -i eth0 -s 192.168.1.0/24 -d 192.168.100.0/24 -j NETMAP --to 192.168.183.0/24

iptables -t nat -I PREROUTING 2 -i eth1 -d 192.168.183.0/24 -j NETMAP --to 192.168.1.0/24

OR i think the below should also work..but it will work for sure

iptables -t nat -I POSTROUTING 1 -o eth1 -s 192.168.1.0/24 -d 192.168.100.0/24 -j NETMAP --to 192.168.183.0/24

iptables -t nat -I PREROUTING 1 -i eth1 -d 192.168.183.0/24 -j NETMAP --to 192.168.1.0/24

3. On the RV340

a) After changing the vlan1 interface ipaddr to 192.168.183.1/24 (and do a Apply/Save too),

b) Add a Static route in the Routing page...

Destination-network: 192.168.1.0

Netmask: 255.255.255.0

Gateway: 192.168.183.254

Interface: vlan1

c) Next configure the S2S tunnel to the service provider as usual..but apply the below values/settings on RV340

Local-IP-Type: Subnet:

192.168.183.0/24

Remote-IP-Type: Subnet

192.168.100.0/24

4. On the Remote-PeerGw

- for the S2S tunnel config use the below values

Local-IP-Type: Subnet:

192.168.100.0/24

Remote-IP-Type: Subnet

192.168.183.0/24

thats it....you should be able to solve your requirements

Hope this is useful, eventhough its been a longtime since this query has been asked....