Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
2
Replies

Cisco RV220w site to site VPN multiple networks

jasunf
Level 1
Level 1

‎01-20-2015 09:59 AM

Good afternoon all!!

 

I'm having challenges setting up a Cisco RV220w site to site that routes more than 1 network on the other side of the RV220w.

 

This may be a limitation of the firewall on the other side as well.  The main office has a Watchguard 535 firewall which has a working VPN site to site tunnel to our branch location.  Both sides only route for one network.  I want to add routing for another network behind the watchguard.  The way I would do this with two watchguards is simply add another network to the tunnel policy on the watchguard on both sides.

 

On the RV220w I see I can add a range but I can't add just another network.  Has anyone else tried to connect the RV220w to a watchguard or another vendor firewall like this?  Another option would of been to just create another separate tunnel on the watchguard for this one network but I can't have two policies with the same remote endpoint on the watchguard.  On the RV220w I added another tunnel policy and told it to use the original gateway policy that is already connected but that fails to connect as I figured it would.

 

So for a visual:

HQ site to site tunnel that works:

HQ 192.168.0.0/24 to Branch 192.1.1.0/24
Branch 192.1.1.0/24 to HQ 192.168.0.0/24

I want to add:

HQ 192.168.21.0/24 to Branch 192.1.1.0/24
Branch 192.1.1.0/24 to HQ 192.168.21.0/24

So the end result is HQ networks 192.168.0.0/24 and 192.168.21.0/24 on the watchguard route to the Cisco RV220w 192.1.1.0/24 and back.  

I can add the other network to the existing policy on the watchguard but not sure how the RV220w should be configured to do this for return traffic using the existing tunnel.  I can't take it down to 192.168.0.0/16 either as I have a 3rd branch that is already 192.168.1.0/24.  I inherited this mess and look forward to changing all these IP schemes in the near future :(

 

Labels:
0 Helpful
2 Replies 2

joe19366
Level 1
Level 1

‎01-20-2015 03:28 PM

no way I have seen for one tunnel, 2 networks.

 

I have spent alot of time with the RV220w as of late.

 

it does not support/do cisco asa dpd keepalives - so it frequently disconnects from tunnels and needs to be MANUALLY cleared... not thrilled to have these either at one place.

 

while you cant make a second policy on the watchguard - just make a second tunnel on the RV220w should work as each SPI per proxy-id is negotiated independently in phase 2 per my testing with a single ASA to the RV220w with 2 subnets.

 

let me know

0 Helpful

jasunf
Level 1
Level 1
In response to joe19366

‎01-21-2015 02:59 PM

Yeah think it'll get replaced soon but in the meantime I've been trying to make it happen.

 

So create a second tunnel policy on the RV220 do I use the original gateway policy?  So one gateway policy and two tunnel policies pointing at it?  Hope I have that right.

0 Helpful
Customers Also Viewed These Support Documents