IPSec VPN between RV220W and RV180 gives only one way ticket for data flow

Petrbenda · ‎02-22-2014

I have setup IPSec VPN between RV220W (FW 1.0.5.8) and RV180 (FW 1.3.0.10), public addresses are used on both sites, RV220W subnet is 192.168.2.0/24 (subnet A), RV180 subnet is 192.168.3.0/24 (subnet B). No radius and additional settings are made. The port forwarding is setup only. When I am on subnet B, everything including websites requiring from subnet A is accessible (web interface of RV220W and web of NAS QNAP is perfectly accessible). When I am on subnet A everything from subnet A is available, but not everything is accessible from subnet B. It is not possible to read folders and some websites for example web interface of RV180 (after allowing certificate collision the page is blank, it can read it forever), web of NAS QNAP (website is blank, it can read it forever). However other websites are accessible without problems (cameras, intranet, etc.). If I return to the previous working state, it means previous FW which is installed on RV220W it is still the same. It is very strange behaviour I have tried to reset both routers to the factory defaults, setup them again, change settings of VPN and more and more. It still keeps theirs strange behaviour. Does anyone know what to do else?

mpyhala · ‎02-28-2014

Petr,

This is very unusual. Are you still having the issue or did you get it resolved?

- Marty

Petrbenda · ‎03-02-2014

Dear Marty

I thank you for your reply. Feelings of someone´s interest gives me a certain amount of hope.

I used to have very similar strange issue when I had site to site VPN between RV220W and RV042. As soon as I updated FW on RV042 to the latest it stopped correct working. Simply it worked only with FW 1.3.12.19-tm. Now I have something similar with RV220W. The RV042 was replaced by RV180 which is a little bit more powerful and settings are common between all routers so it is better for me. RV220W has established one more site to site VPN with RV215W and it works fine. Honestly I have tried lots of combinations of settings to sort the problem out. It is still the same. I tested ports if they are opened, they are. Simply it is very and very strange. There is no idea on my mind what to do else so I have no proper VPN connection at the moment.

Greetings

Petr

Nagaraja Thanthry · ‎03-02-2014

Hello Petr,

Can you please share your VPN settings screenshot (mask your WAN IP addresses) if possible?

Nagaraja

Petrbenda · ‎03-02-2014

Hallo Nagaraja

I have attached same screenshots. Hopefully it will help.

Many thanks

Petr

Nagaraja Thanthry · ‎03-02-2014

Hello Petr,

If I understand your problem correctly,

RV220W has an internal subnet of 192.168.2.0/24
RV180W has an internal subnet of 192.168.3.0/24
DNS server for your networks is at 192.168.3.2
When you try to access devices behind RV220W from 192.168.3.x subnet, everything works fine
When you try to access devices behind RV180W from 192.168.2.x subnet, only some are accessible, while others are not

Few questions regarding the way you are trying to access the devices behind the RV180W.

Are you trying to access them using their IP address or using their name/FQDN?
If you try to ping the same devices using their IP address, do you get the responses?
Do these devices have any Port forwarding rules built on the RV180W?

Nagaraja

Petrbenda · ‎10-19-2014

Dear

I have found the reason of my problems. I use public IP address. This address is correctly setup and used for site to site tunnels. Due to reason that is not important, I setup Dynamic DNS as well for different FQDN. The tunnel has been working fine since I switched off the Dynamic DNS service.

Petr

mpyhala · ‎03-02-2014

Petr,

A few additional questions:

Is there a reason that you are using Aggressive Mode instead of Main Mode?

Why is Split DNS enabled on the RV180 if the DNS server is local?

The rest of your VPN settings look fine. Nagaraja raises some good questions as well.

- Marty

Petrbenda · ‎03-02-2014

Hallo

Here are answers for your questions:

RV220W has an internal subnet of 192.168.2.0/24 that is correct
RV180W has an internal subnet of 192.168.3.0/24 that is correct
DNS server for your networks is at 192.168.3.2 that is correct. SBS 2011 and its DNS server …
When you try to access devices behind RV220W from 192.168.3.x subnet, everything works fine, not exactly, some websites are accessible others not. F.e. RV220W is not accessible. When I try to lunch it, I need to allow certificate issue and then loading and loading but the blank screen appears only.
When you try to access devices behind RV180W from 192.168.2.x subnet, only some are accessible, while others are not - not exactly – everything is accessible perfectly

Few questions regarding the way you are trying to access the devices behind the RV180W.

Are you trying to access them using their IP address or using their name/FQDN? – from site (192.168.3.0/24) I can use IP or DNS name, because of server, ping works without problems for all devices on RV180 and RV220W subnets. If I am on site 192.168.2.0/24 – local devices are accessible only via IP, the outlook through VPN can be done using IP or DNS name.
If you try to ping the same devices using their IP address, do you get the responses? - that is not 100% correct. On subnet with RV180 it is 100% correct for both subnets, on site with RV220W it works only for devices on the other site of VPN (the site of RV180)
Do these devices have any Port forwarding rules built on the RV180W? * Those ports are opened: 443, 21, 5090, 987, 3389, 1723, 143, 995, 8080, 53, 25, 110, 9000, 5060. If I switch port forwarding off the issue is not affected. Most ports are directed to 192.168.3.2, The only port 8080 is directed to the different device.
Is there a reason that you are using Aggressive Mode instead of Main Mode? – No affective issue, in this case I have better throughput of data.
Why is Split DNS enabled on the RV180 if the DNS server is local? – yes, it is not necessary. I am switching it off.

Many thanks

Petr