yes NAT-T and the rest of the advanced options ON and OFF have been part of the many permutations that I have tried - also VPN passthrough enabled on the ADSL gateways (and the UDP ports noted forwarded to the RVO42).

My guess is its something to do with the local/remote group setup - theres nothing in the RV042 manual about what the setup should be when behind a gateway - all the descriptions assume that the RV042 has a public IP address which of course neither of my RV042's do - of course could be something missing on the gateway configuration 

Hello Steve,

Generally the Small Business routers need to be on the edge themselves, with the public IP on the WAN interface of our device.  The reason for that is because the WAN IP is what the routers use to identify each other when establishing the VPN connection. 

That is why there is no recommended setup for when you are behind a gateway, because it usually just doesn't work.  In fact when we get calls here at the Small Business Support Center if the public IPs are not on our device we cannot support that setup.  You have to get the ISP to bridge the modems first.

Your best bet really would be to convince your ISP to bridge your modems, it is quite unusual that they won't do that for you. 

However, your main question here seems to be what your local and remote groups should be so let's focus on that.

From your diagram it looks like site 1 has a LAN subnet of 192.168.100.0/24 and site 2 has a LAN subnet of 192.168.101.0/24.

In that case your local group on site 1 will be 192.168.100.0 255.255.255.0 and the remote will be 192.168.101.0 255.255.255.0.  Then you simply reverse those on site 2. 

One other thing that popped into my head is you mentioned one of the modem's was recently replaced, is it possible the DMZ or port forwards were not reconfigured?

You can also post the log messages if you have them, they may be able to tell us what is going wrong.

Thank you for choosing Cisco,

Christopher Ebert

----

Network Support Engineer - Cisco Small Business Support Center

Still not sure of your local and remote group suggestion - I improved the diagram (attached) so that my expected configuration is shown in detail but I have tried countless other permutations - I guess basically I just dont understand the local group requirement in particular and how the security grouping works in general.

I reckon both modems respective DMZ and port forwarding is good in my configuration as remote PPTP clients have no trouble connected to either site (obviously different ports on gateway to gateway but I have shown these in the diagram for clarity).

User kivanova has noted that both R042's are on 192.168.1.0 private subnets - something new for me to try - probably best that they are different any case

regards

steve

Thank you for the updated diagram.  Going off of that it looks like you have all the settings correct as far as local and remote group go.

I agree Kremena and would also suggest changing the WAN IPs of the two RV042s to be in different subnets. 

Another issue you may be having here is that you are using FQDN with dynamic IPs on both ends, this usually doesn't work.

Try changing one side to be set to IP by DNS resolved, that way you can still use the dyndns name but it will resolve to the correct IP.

Christopher Ebert

----

Network Support Engineer - Cisco Small Business Support Center

Fixed the subnet clash (192.168.100.0) according to Kremena's suggestion and changed both remote group settings to IP to DNS resolved. Also managed to get the main office modem into bridge mode so now at least one RV042 has its WAN side on the public internet. Outcome is the tunnel test button shows enabled and the status is now waiting for connection but it never connects - getting closer at least

A thought occurred to me - should the remaining RV042 behind the modem/firewall be configured in router mode rather than gateway mode?

Hello Steve,

Once the tunnel are setup you may have to go and actually hit the connect button to bring the tunnel up.  Before you do that you should enable the debug logging level so any errors and issues will show up in the logs, which can help us figure out what is going on.

As for router vs gateway mode, it sort of depends.  When the router is in router mode the firewall and NAT/PAT are both disabled, meaning the traffic leaving the WAN of the RV won't be translated.  Whether that will work or not depends on your modem/router and whether it will NAT for the subnet behind the RV as well.

Christopher Ebert

----

Network Support Engineer - Cisco Small Business Support

Thanks again Christopher

Ok so now it works - see attached for final configuration - think getting the modems more favourably configured helped but it was getting the correct local and remote group settings that is crucial.

My only nagging doubt is the local group IP only forces the dynamic WAN IP address at the time of configuration and does not give the IP by DNS Resolved option that appears on the remote group same selection. What happens to the VPN tunnel if the ISP randomly changes the IP address we get (which has happened) as we dont have a guaranteed assignment. I guess the simple answer is manual edit the VPN tunnel config when it does (hope it doesn't happen too often)

Hello Steve,

I'm not quite sure I understand your question, but let me see.

I noticed you changed on site to just IP, you should still be able to use the FQDN option, that way when the ISP assigned IP does change it should resolve using the dyndns entry you had earlier.  You only run into an issue when you use FQDN on both sides, but FQDN and IP by DNS resolved should work just fine, so go ahead and give FQDN on one side and IP by DNS resolved on the other.

Your diagram also seems to group the local group and the IP address of the gateway together, but these settings are really separate.  You have control over your local group, it is your inside subnet.  The local IP is just the identifier for the router itself, they are independent of each other.

I would also strongly suggest a different password, although I'm guessing that is just there for testing purposes.

Let me know how that goes,

Christopher Ebert

Hi Christopher

Anything other than "IP Only" option for the local group setup local group security type gives Tunnel Test not available. Maybe I am doing something wrong - can you be a little more specific with the FQDN/IP Only local and remote group settings

Thanks

Steve

I have several vpn links set up using IP only on dynamic setups.  What I will say is that it will break the tunnel when it changes, but it may not be so bad if your tunnel is always up and the ISP doesn't randomly change IPs that are currently in the DHCP pool.

As far as you diagram, the only thing I'd change is the keep alive and dead peer options--I've actually seen these cause problems on keeping tunnels up.

I've had setups behind routers work perfectly fine with Netgear VPN routers.  Theirs don't require that the local IP match the external IP.
 

thanks Samir - will keep the dead peer and keep alive as possible causes of trouble. Thanks for the Netgear steer hopefully wont need to do any further infrastructure planning for some time...

Hi,

In the configuration of every router for remote gateway you need to configure the public IP on the remote side and because the local gateway is the private IP on the WAN port, you need to enable NAT traversal.

If you have dynamic IPs on the modems, do you use FQDN or some domains?

Also, the problem could come from the fact that the WAN ports on both RVs are configured with the same range IPs - 192.168.1.X/24. Try correcting that.

Regards,

Kremena

thanks Kremena - the 192.168.1.x subnet clash hadnt occurred to me - something new for me to try out at least.

See my response to user chrebert with a more detailed networking diagram if you have any further interest.

regards

steve