ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

Configure a Teleworker VPN Client on the RV34x Series Router


Article ID:5728

Configure a Teleworker VPN Client on the RV34x Series Router


The Teleworker VPN Client feature minimizes the configuration requirements at remote locations by allowing the device to work as a Cisco VPN hardware client. When the Teleworker VPN Client starts the VPN connection, the IPSec VPN server pushed the IPSec policies to the Teleworker VPN Client and creates the corresponding tunnel.

This article aims to show you how to configure the Teleworker VPN Client on the RV34x Series Router.

Applicable Devices

  • RV34x Series Router

Software Version


Configure the Teleworker VPN Client

Step 1. Log in to the web-based utility and chooseVPN > Teleworker VPN Client.

Step 2. In the Teleworker VPN Client area, click the On radio button to enable the Telework VPN Client.

Note: Only a single Teleworker VPN Client can have an active connection at startup.

Step 3. (Optional) In the Auto Initiation Retry area, click a radio button On or Off to enable or disable an automatic initiation attempt after a failure. Clicking On means that the router will attempt to make an initiation after failure.

Note: In this example, On is chosen.

Step 4. In the Retry Interval field, enter a value in seconds that the router will make an attempt to make an initiation to connect. The default is 120 seconds.

Note: In this example, the default value is used.

Step 5. In the Retry Limit field, specify the number of times the router will automatically attempt to make an initiation after a failure.

Note: In this example, the number entered is 2.

Configure the Basic Settings

Step 6. In the Teleworker VPN Clients table, click Add to create and configure a Teleworker VPN client.

Step 7. In the Basic Settings area, enter a name for the VPN tunnel in the Name field.

Note: In this example, Dracarys is used.

Step. 8. In the Server (Remote Address) field, enter the IP address of the remote server.

Note: In this example, is used.

Step 9. To initiate a connection upon startup, click Onin the Active Connection on Startup area. To manually start a connection, click Off.

Note: In this example, On is chosen.

Step 10. In the IKE Authentication Method area, choose an authentication method to be used in IKE negotiations in IKE-based tunnel. The options are:

  • Pre-shared Key — IKE peers authenticate each other by computing and sending a keyed hash of data that includes the Pre-shared Key. If the receiving peer is able to create the same hash independently using its Pre-shared key, it knows that both peers must share the same secret, thus authenticating the other peer. Pre-shared keys do not scale well because each IPSec peer must be configured with the Pre-shared key of every other peer with which it establishes a session. If this is chosen, proceed to the next step.
  • Certificate — The digital certificate is a package that contains information such as a certificate identity of the bearer: name or IP address, the serial number expiration date of the certificate, and a copy of the public key of the certificate bearer. The standard digital certificate format is defined in the X.509 specification. X.509 version 3 defines the data structure for certificates. If this is chosen, skip to Step 13.

Note: In this example, Pre-shared Key is chosen.

Step 11. If you have chosen Pre-shared Key in Step 10, enter a group name in the Group Name field.

Note: In this example, FreeFolk is used as the Group Name.

Step 12. In the Password field, enter a password to be associated with the Group.

Step 13. If you have chosen Certificate in Step 10, choose the appropriate certificate for your router.

Note: In this example, Default is chosen.

Step 14. Click on a radio button to choose a Mode. The options are:

  • Client — This option allows the client to request for an IP address and the server supplies the IP addresses from the configured address range. If this is chosen, proceed to Step 16.
  • Network Extension Mode (NEM) — This option allows clients to propose their subnet for which VPN services need to be applied on traffic between LAN behind server and subnet proposed by client. You will also be asked to choose a VLAN. If this is chosen, skip to Step 15.

Note: In this example, Client is chosen.

Step 15. If NEM was chosen in Step 14, choose a VLAN from the drop-down list. The options may vary depending on pre-configured VLAN settings.

Note: In this example, 25 is chosen.

Step 16. In the User Name field, enter a user name to be associated with the Telework VPN Client.

Note: In this example, Tormound is used.

Step 17. In the User Password field, enter a password for the username.

Step 18. In the Confirm User Password field, re-enter the password to confirm the password. If the incorrect password is entered, the field will turn red.

Step 19. Click Apply to save the settings.

Step 20. A pop-up window will appear asking you to activate the connection as the settings are saved. Click the Activate Connection button to confirm the activation and Do Not Activate button to activate the connection later.

Note: In this example, Activate Connection is chosen.

You will be taken back to the main Teleworker VPN Client page.

You should now have successfully configured the basic settings for the Teleworker VPN Client on the RV34x Series Router.

Configure the Advanced Settings

Step 1. (Optional) In the Backup Server 1 field, enter the IP address or the domain name of the backup server. This will be where the device can start the VPN connection in case the primary IPSec VPN server fails. You can enter up to three backup servers in the fields provided. The Backup Server 1 has the highest priority among the three servers and the Backup Server 3 has the lowest.

Note: In this example, is used.

Step 2. In the Peer Timeout field, enter the time in seconds a peer can remain idle before disconnecting. The range is from 30-480 seconds. The default is 120.

Step 3. Click Apply.

You should now have successfully configured the Advanced Settings of the Teleworker VPN on the RV34x Series Router.


A concern I've had with RVxxx series client VPNs is there doesn't appear to be an account lockout policy option. If someone is trying to brute force into a VPN client, I want the account locked out after a preset # of attempts, during a preset period of time, for a preset amount of time (optional). This is why we often don't use Cisco VPNs and do passthrough VPN to an internal server on the internal LAN where account lockout options are available. Is this something Cisco would consider adding to its RV series VPN routers? Should be simple enough to implement with e-mail notifications to admins when/if an account is attacked/locked out.

Great thanks for writing this post on RV3xx Routers and Teleworker VPN.

I don’t have experience with administering Cisco products in general and in RV3xx specifically.

I am sure this Teleworker VPN feature is a menu option within the configuration options of the firmware; however because I am a novice and about to make an investment, is the Teleworker VPN a feature within the routers firmware or is this a Cisco licensed software addon that might be prohibitively expensive?