Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
0
Helpful
10
Replies

RV042g and RV110w site to site VPN behind DSL

Deimos4242
Level 1
Level 1

‎01-18-2014 12:49 AM

Hello,

I am struggling to get a site to site VPN to work between two cisco routeurs both behind DSL routers. Would really appreciate your help.

Site A:

Public IP: 1.2.3.4 with a DSL routeur (all ports forwarded to 192.168.0.42)

RV042G Wan set to static IP: 192.168.0.42

RV042G LAN set to: 192.168.105.x

Site B:

Public IP: 5.6.7.8 with a DSL routeur (all ports forwarded to 192.168.1.42)

RV110W Wan set to static IP: 192.168.1.42

RV110W LAN set to: 192.168.111.x

When I try to establish a connection, I get the following error on the RV110W:

26    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: sending encrypted notification INVALID_ID_INFORMATION to 1.2.3.4:500    

27    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: no suitable connection for peer '192.168.0.42'    

28    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.42'    

29    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: STATE_MAIN_R2: sent MR2, expecting MI3    

30    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2         

32    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: STATE_MAIN_R1: sent MR1, expecting MI2    

33    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1    

34    2014-01-18 9:36:53 AM    debug    pluto[14811]: "naya" #110: responding to Main Mode

The problem is both Cisco routers are advertising their WAN IP instead of the real Public internet IP.

Is there a way to force a connection and avoid this ID check? I used to have VPN routers from another manufacturer when it was possible to manually change the ID.

Thank you very much for your help

Labels:
0 Helpful
10 Replies 10

laurentevain
Level 1
Level 1

‎02-19-2014 08:21 AM

I had the same isue, i think it's a check created by your VPN security, i'd test with other setting and it's working now

0 Helpful

SamirD
Level 5
Level 5

‎02-20-2014 05:25 PM

The cisco rv series work this way for their site-to-site vpn.  I've run into the same problem.  It uses the IP address as part of the security check, and when it sees a different address, it fails.

I believe that NAT-T (NAT Traversal) is an option on these and checking this box should help.  Also, try using aggressive vs main mode.

For me, I used some older Netgear VPN routers that didn't have this limitation and they work fine in your configuration.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

stevemowbray
Level 1
Level 1

‎02-22-2014 06:37 AM

Hi

I got this working couple of years ago - let me know if you still need a solution and I will write up the steps and post back to you

Regards

Steve

0 Helpful

SamirD
Level 5
Level 5
In response to stevemowbray

‎02-24-2014 09:32 AM

I'd love to hear how you got this working.  I've got some rv016s where I had to reconfigure the network to use the site-to-site because of the IP issue.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

stevemowbray
Level 1
Level 1
In response to SamirD

‎03-29-2014 08:46 AM

hi - not forgotten was going to write up my solution - just have not had a spare moment - I will get round to it soon as i can

steve

0 Helpful

stevemowbray
Level 1
Level 1
In response to stevemowbray

‎04-28-2014 02:43 PM

ironically have had to replace one of the ageing modems in this setup and now can no longer get the tunnel to work so my solution might not have been that informative - after much trial and error I have resorted to asking for some guidance here:

https://supportforums.cisco.com/discussion/12189026/vpn-tunnel-between-rv042s-behind-adsl-modems

 

0 Helpful

SamirD
Level 5
Level 5
In response to stevemowbray

‎05-22-2014 01:53 AM

Thank you for the reply and update.  There's no reason a modem should have caused this to stop working since Internet is Internet as far as the rvs are concerned.  I'll check out your other thread.
 

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

David_Che
Level 1
Level 1

‎04-28-2014 08:49 PM

Hi,

Do you try to configure "crypto isakamp identity hostname " on both sides?

0 Helpful

SamirD
Level 5
Level 5
In response to David_Che

‎05-22-2014 01:52 AM

There are no crypto maps or anything like that on the rv series.  The rv series is smb and doesn't use IOS.
 

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
0 Helpful

Kasun Bandara
VIP
VIP

‎01-27-2020 10:32 PM

Hi All,

 

if you are behind NAT routers you need to configure WAN IP and LAN IP for IKE policy. you can set exact WAN IPs configured in RV routers other than public IPs on NAT routers.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful
Customers Also Viewed These Support Documents