Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2002
Views
5
Helpful
14
Replies

RV345P S2S VPN IP Group

Go to solution
jpdeboer1
Level 1
Level 1

‎11-10-2020 12:41 AM

Hi,

 

We have a RV345P at our office, from this router i build a S2S VPN to a Cisco 1140. Now the VPN works fine if i just have 1 local subnet at the RV345P Router. Issue starts when i introduce a IP group to the S2S VPN. Whichever subnet you ping in that IP group first works but then the others dont work. Configuration is fine and subnets match on both sides. Did someone else encounter this issue?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to jpdeboer1

‎11-11-2020 02:19 AM

Hi there,

 

There is a related bug with the ASAs firewalls when using S2S and IKEv2 with multiple subnets but RV is running different codebase. Can you check what IKE do you use in your S2S VPN and if it is IKEv2 please change it to IKEv1 just for the test? We don't have a known issue with the S2S VPN and IP groups on RV34x series and not aware of any for the1140 firewall.

 

Regards,

Martin

 

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee

‎11-10-2020 02:06 AM

@jpdeboer1 

 

Hi,

 

What do you mean by others don't work? Do you have ping working to all IPs in the remote IP group and vice versa? The two LAN subnets on either side of the tunnel cannot be on the same network, did you check that?

 

Regards,

Martin

0 Helpful

Go to solution
jpdeboer1
Level 1
Level 1
In response to Martin Aleksandrov

‎11-10-2020 02:10 AM

Hey,

 

I have 4 IPv4 subnets in the IP group whichever subnet i ping first works in both directions. The other 3 subnets in the same IP group are not reachable from both sides. Each IPv4 subnet is unique and do not overlap. 

Office Subnet:

10.11.30.0/24

 

DC Subnet:

10.3.4.0/22

10.11.10.0/24

10.11.11.0/24

10.11.12.0/24

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-10-2020 02:11 AM

Can you post cisco router side config and screenshot of RV345 to look the config. ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jpdeboer1
Level 1
Level 1
In response to balaji.bandi

‎11-10-2020 03:17 AM

See below screenshots.

 

1.JPG2.JPG

 

4.JPG

0 Helpful

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to jpdeboer1

‎11-10-2020 08:14 AM

Hi there,

 

Heve you configured the mirrored VPN configuration on the other end? What is the other VPN termination device? 1140 is a Wireless Access Point?

 

Regards,

Martin

0 Helpful

Go to solution
jpdeboer1
Level 1
Level 1
In response to Martin Aleksandrov

‎11-10-2020 08:28 AM

Hi,

 

The first 2 screenshots are for the RV345P router at our office, the last screenshot is for the Cisco 1140 firepower firewall located in our datacenter. As shown on the screenshots the configuration is mirrored. 

 

When i enable the VPN and start a ping to 10.11.10.1 i get a reply. When i after that start a ping to one of the other subnets i do not get a reply. Now i bring down the VPN and bring it up by doing a ping to 10.11.12.1 VPN starts and i get a reply. But then i do not get a reply from 10.11.10.1 or one of the other subnets. So only the subnet you ping first works. 

Now if i change my config to have 1 big subnet rather then the IP group i can ping all the subnets in our datacenter. So it realy seems to be a issue with the IP group. 

0 Helpful

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to jpdeboer1

‎11-11-2020 12:08 AM

@jpdeboer1 

 

This might be indeed an issue with the IP group interoperability with the VPN between the RV and the Firepower firewall. Did you try other connectivity tests with the rest of non-pingable subnets (file share or transfer, etc.)? Any firewall settings on end machines?

 

Regards,

Martin

0 Helpful

Go to solution
jpdeboer1
Level 1
Level 1
In response to Martin Aleksandrov

‎11-11-2020 12:37 AM

Hi Martin,

 

I did try other tests, i tried to browse to web servers and also tried FTP transfer but did not get any connection. Is this a known issue within Cisco?

0 Helpful

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to jpdeboer1

‎11-11-2020 02:19 AM

Hi there,

 

There is a related bug with the ASAs firewalls when using S2S and IKEv2 with multiple subnets but RV is running different codebase. Can you check what IKE do you use in your S2S VPN and if it is IKEv2 please change it to IKEv1 just for the test? We don't have a known issue with the S2S VPN and IP groups on RV34x series and not aware of any for the1140 firewall.

 

Regards,

Martin

 

0 Helpful

Go to solution
jpdeboer1
Level 1
Level 1
In response to Martin Aleksandrov

‎11-11-2020 03:50 AM

Hi Martin,

 

That did the trick, i changed the setup to use Ikev1 and now i am able to connect to the different subnets using IP Groups in the RV router. Thank you for the support in figuring this out. 

 

So if you setup site to site vpn between a RV345P and a Cisco Firepower 1140 with Ikev2 the IP group option is not working.

0 Helpful

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to jpdeboer1

‎11-11-2020 04:24 AM

You're welcome!

 

I am glad this helped solve the issue. Hopefully, you won't implement security policies that don't allow IKEv1 for VPN deployments. You know at some point IKEv1 will become deprecated and you'll have to move to IKEv2.

 

Regards,

Martin

 

0 Helpful

Go to solution
jpdeboer1
Level 1
Level 1
In response to Martin Aleksandrov

‎11-11-2020 04:45 AM

I hope that this bug will be fixed by then for now i will use Ikev1 when i need multiple subnets: )

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎05-10-2021 04:49 PM

Hi @ jpdeboer1 & all other users of RV34X Routers

 

1. The issue with S2S tunnels using multiple subnets (with IP-Groups on RV34X) not working with IKEv2 when the remote IPsec-Peers are especially and specifically Cisco-ISR/Cisco11xx/Cisco-ASA and other such appliances is becos the BUG is with the Cisco-ISR/11xx/ASA/etc appiances/routers AND NOT WITH RV34X.

2. The problem/bug is that when IKEV2 is used, the present/existing Cisco-IOS/ISR/ASA/11xx appiances DO NOT SUPPORT THE IKEV2 RFC-STANDARD  multiple traffic-selectors (read multiple-subnets) being received in the CHILD-SA payload during the tunnel negotiation....the Cisco-ISR/ASA/IOS/11xx routers are implemented to support ONLY 1 pair of Traffic-selectors during IKEv2-CHILD-SA negotiation.....

 

The RV340/345 supports the complete/latest RFC implementation for IKEv2-based tunnels....

 

3. So to establish IKEV2-based multiple subnets IPsec tunnel between RV340/345 and  Cisco-ISR/IOS/ASA appliances, you need to apply the below setting/config on the RV340/345, when you are configuring for IKEv2 and using IP-Groups for multiple-subnets (either local-subnets or remote-subnets or both )

 

In the S2S tunnel config page in the advanced tab, enable/check the setting "Non-RFC"....and now it should start working without any issues just like it does for IKEv1

Note: The checkbox "Non-RFC" on RV34X means that the remote Peer does not support the complete RFC-standard for IKEV2-based tunnels (multiple-subnets)

 

Also this "Non-RFC" should also be selected in case the remote ipsec peer is a Fortinet-Gw...Fortinet also has a bug and does not support recieving multiple-traffic selectors in the child-SA payload during the IKEv2 negotiation....

 

Cheers

 

  

Go to solution
Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to nagrajk1969

‎05-11-2021 12:33 AM

@nagrajk1969 

 

Good catch! 

 

Thanks for sharing.

 

Regards,

Martin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents