Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
5
Helpful
9
Replies

RV345 Site to Site Routing Issue

Go to solution
Chronos292
Level 1
Level 1

‎03-11-2021 04:30 AM - edited ‎03-11-2021 04:33 AM

Hi All

 

I have an issue with some RV345 I hope you can help with (Hub and Spoke set up);

 

Site A has an RV345 with an IPSEC  VPN to AWS on WAN1 and an IPSEC VPN to Site B on WAN2

Site A Can see AWS and vice versa, site B can see Site A and vice versa

Site B cannot however cannot access the AWS VPN Via Site A's RV345.

 

We have tried adding static routes (There is no option to use the VPN as a static route, and configuring it for the WAN interfaces doesn't work). With the VPN set up there is only an option to list one local IP range.

 

Any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Spooster IT Services
Level 7
Level 7

‎03-11-2021 04:56 AM

Hello @Chronos292,

 

This is an unsupported feature. Please find the link below to a long discussion on the same topic.

RV345P - multiple subnets in site-to-site VPN - Cisco Community

 

 

*** If you find this information useful, please remember to mark it as "helpful"

Spooster IT Services Team

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-11-2021 04:39 AM

Personally RV series can not be like a DMVPN kind of setup.

 

you can have dual VPN Stie to site vpn different sites.

 

make sure if they are not overlapped, you need to allow each other IP address allowed in the tunnel to access. (i am think technical - not sure how feasible in terms of config)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Chronos292
Level 1
Level 1
In response to balaji.bandi

‎03-11-2021 04:43 AM

Hi

 

They are not overlapped - all sites are on different internal IP addresses - We cannot find any way of giving each subnet access to the other VPN's

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to Chronos292

‎03-11-2021 05:11 AM

@Chronos292 Is there any specific reason to send traffic from Site B to AWS Via Site A? How about if you set up a new VPN between Site B and AWS?

Spooster IT Services Team
0 Helpful

Go to solution
Chronos292
Level 1
Level 1
In response to Spooster IT Services

‎03-11-2021 05:28 AM

We did try this however Site B is on a shared  internal network link, not a public facing IP so we cannot do it that way.

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7

‎03-11-2021 04:56 AM

Hello @Chronos292,

 

This is an unsupported feature. Please find the link below to a long discussion on the same topic.

RV345P - multiple subnets in site-to-site VPN - Cisco Community

 

 

*** If you find this information useful, please remember to mark it as "helpful"

Spooster IT Services Team
0 Helpful

Go to solution
Chronos292
Level 1
Level 1
In response to Spooster IT Services

‎03-11-2021 05:27 AM

Many thanks, do you know if the RV 260 supports this at all?

0 Helpful

Go to solution
Spooster IT Services
Level 7
Level 7
In response to Chronos292

‎03-11-2021 06:17 AM

@Chronos292 

RV 260 has the same limitation as well.

 

However, there is an option to define Groups on these hardwares but I strongly recommend not use them as they are full of flaws on routers.

Spooster IT Services Team

Go to solution
Chronos292
Level 1
Level 1
In response to Spooster IT Services

‎03-11-2021 06:24 AM

Thanks, we did try the groups and it pretty much killed everything.

 

Thank you for your assistance.

0 Helpful

Go to solution
nagrajk1969
Spotlight
Spotlight

‎05-12-2021 03:48 PM - edited ‎05-13-2021 09:24 PM

Hi Chronos92

 

Don't loose heart so quickly...who says its not possible to configure a Hub-Spoke VPN topology on RV345/RV340/RV260/RV160?????

Its quite doable....provided ofcourse the unknown here is that the AWS VPN-Gw should support this config below

 

Note: The below method of configuring the Local/Remote subnets for each S2S tunnel mentioned is actually standard (RFC standard) method of configuring Hub-n-Spoke...

 

 

 

Some Assumptions:

We will assume for our sample config that

1. The local-subnet behind SiteA-Gw is 192.168.1.0/24

2. The local-subnet behind SiteB-Gw is 192.168.2.0/24

3. The local-subnet behind AWS-Gw is 192.168.3.0/24

and 

4. Its decided that SiteA will be the HUB gw,

 

so configure the S2S tunnels as below

 

A) On SiteA-Gw: Configure the 2 S2S tunnels to SiteB-Gw and AWS-Gw


First Tunnel:
---------------------------------
Name: SiteA_SiteB_Tunnel1:
Remote-Endpoint: SiteB-wan-ipaddress

Note:
- In case as you mentioned SiteB is behind a NAT-router, then all traffic has to be first initiated from SiteB for the tunnel to come up
- so here for "Remote Endpoint, use the setting "dynamic-ip", in which case SiteA-Gw will always be a passive-Gw and responder-only ipsec-peer


Local-ID-Type: FQDN
Enter-value: hubgw.local.net

Local-IP-Type: ANY

 

Remote-ID: Type: FQDN
Enter-value: siteB.local.net

Remote-IP-Type: Subnet
value: 192.168.2.0/255.255.255.0

- In the Advanced page, just enable DPD and set it to "30s, 120s and clear"
-----------------------------------------------------------------------------


Second Tunnel:
---------------------------------
Name: SiteA_AWS_Tunnel2:
Remote-Endpoint: AWS-wan-ipaddress


Local-ID-Type: FQDN
Enter-value: hubgw.local.net

Local-IP-Type: ANY

 

Remote-ID: Type: FQDN
Enter-value: AWS.local.net

Remote-IP-Type: Subnet
value: 192.168.3.0/255.255.255.0

- In the Advanced page, just enable DPD and set it to "30s, 120s and clear"
-----------------------------------------------------------------------------


B) On SiteB-Gw: Configure the S2S tunnels to SiteA-Gw

 

---------------------------------
Name: SiteB_SiteA_Tunnel1:
Remote-Endpoint: SiteA-wan-ipaddress

Note:
- Here since this is behind a NAT-Router...so it will always have to bringup the ipsec tunnel to SiteA
- So in the Advance settings enable "Keepalive" too


Local-ID-Type: FQDN
Enter-value: siteB.local.net

Local-IP-Type: Subnet
value: 192.168.2.0/255.255.255.0

Remote-ID: Type: FQDN
Enter-value: hubgw.local.net

Remote-IP-Type: ANY

- Also In the Advanced page, just enable DPD and set it to "30s, 120s and clear"
-----------------------------------------------------------------------------

 

C) On AWS-Gw: Configure the S2S tunnels to SiteA-Gw


---------------------------------
Name: AWS_SiteA_Tunnel1:
Remote-Endpoint: SiteA-wan-ipaddress


Although it will be very different, a config similar or corresponding to below settings/value should be applied on AWS-GW

Local-ID-Type: FQDN
Enter-value: AWS.local.net

Local-IP-Type: Subnet
value: 192.168.3.0/255.255.255.0

Remote-ID: Type: FQDN
Enter-value: hubgw.local.net

Remote-IP-Type: ANY

- Also In the Advanced page, just enable DPD and set it to "30s, 120s and clear"
-----------------------------------------------------------------------------

 

Thats it your Hub-spoke topology with "spoke-to-spoke traffic via Hub" is ready...With this setup/config applied:


- All traffic between SiteB to AWS will now flow via Hub-Gw SiteA in the IPsec tunnels that are established

- The same is true for all traffic flowing from AWS networks to SiteB network..it will be via HubGw
- And ofcourse once the tunnels are UP, the traffic from SiteA networks to SiteB-networks and AWS-networks will also flow thru the tunnels

- Preferably always try to use IKEv2-based tunnels

 

 

Preview file
48 KB
0 Helpful
Customers Also Viewed These Support Documents