cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12722
Views
0
Helpful
6
Replies

Site to Site VPN router behind a router

smgtech01
Level 1
Level 1

Can the setup in attached image work where a personal home router is allowing a site to site vpn to a remote router behind it? If so how do you configure the home router which has a dynamic ip to allow the site to site vpn?

Is this a matter of getting a IPSEC vpn capable router and connecting the routers as shown in the diagram below and setting up the policies on both ends?

Also, after setting it up will the office LAN have access to the computer "desk0" in the image below (meaning will desk0 be in the same subnet as the office lan grabbing its ip from the office server's DHCP)?

VPNSetup.PNG

6 Replies 6

fb_webuser
Level 6
Level 6

Yes you can put a VPN endpoint behind another router (i.e. Home Router), just need forward UDP port 4500 and allow ESP. Having dynamic IP means that only one side could initialize tunnel with traffic

(anything behind the Remote Router).

On the Office Router site that has a static IP you would need configure the tunnel for a dynamic address.

Note that the ISAKMP Key address is anything, which allows for any IP to connect.

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp key ********* address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set IPSEC

match address 120

!

!

crypto map CRYPTO_IPSEC 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

If you are using a PIX, or ASA, same concept applies. Except minor difference in how you authenticate the tunnel

Finally, the Remote Router inside will need a new subnet. If the Offfice is 192.168.1.0/24, then you will need use

like 192.168.2.0/24. And no, DHCP would not go across this tunnel. Devices office LAN will have access, but will never

be able initialize the tunnel should it drop.

---

Posted by WebUser Sean Waite from Cisco Support Community App

So if I set it up like this does that mean that the user on the new subnet will be able to login to the server? Meaning it will be able to find the D.C./DNS server 192.168.1.1 on its on and I won't have to do any static routes?

fb_webuser
Level 6
Level 6

If I assume this is Active Directory, then you would need to put the IP/DNS manually, then it would find the AD server and necessary DNS records that AD clients rely on.

As for configuring the tunnel, have a look at this post - https://supportforums.cisco.com/docs/DOC-3066

---

Posted by WebUser Sean Waite from Cisco Support Community App

Your right it is active directory. So how would I set it up where I do not have to do it manually? I just want to be able to turn the computer on remotely and login as if I was at the office. I use quickvpn and it is limited.

If I use a service like say DynDNS to always have a connection to the home dynamic ip could I create the site to site vpn? I stop short of saying gateway to gateway vpn because the connection of course is not used only for a satelite user vpn tunnel but also personal use.

Could I get a router than sepeartes the lans into two different virtual lans and hook one lan up to the office vpn and let the other lan be like a normal personal network?

red2thebones
Level 1
Level 1

Hi smgtech01,


Were you able to get the tunnel working?

I'm having some issues with almost exactly the same setup to yours.

I can use a PPTP VPN server without any issues, but unable to establish an IPSec tunnel.

I can see the authentication process showing up in the VPN logs, but  have never been able to get the tunnel established.

My setup consist of the following:

- SRP527W as the "Office Router", connecting directly to the internet.

- Netgear Modem/Router as the "Home Router" - connected to the internet.

- RV402G as the "VPN Router", behind the Netgear, with a static IP in the DMZ and ports 4500 and 500 both forwarded.

Wondering if I missed some important steps somewhere...

Any help would be much appreciated

Hello! 

I have a similar problem! 

At site A, I have a Cisco ISA550W connected directly to the Internet. So I get my WAN address from my ISP directly to my ISA550W! 

At site B, I have a Cisco RV320 which is connected from its WAN port to a Lan port on a Netgear router which in turn is connected to the internet. 

The tunnel between them when I have it connected like this does not work. 

If I insert a 3G/4G USB modem directly into the RV320 instead so tunnel work perfectly! 

So I'm not sure what I need to do in the Netgear router to get it to work. I should add that I get a Lan address on my RV320 from Netgear router (192.168.2.32 dhcp)

 

Have a nice weekend! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: