RV042 gateway to gateway no remote access
Hi, I have two Cisco RV042's with the most current firmware. Both have configured proper gateway to gateway connections and the connection is active.
Inside the router(s) I can use the diagnostics ping to ping anything on the remote network.
However neither network can converse with one another.
Both are on a static IP with no firewall and no NAT. Directly connected to a Comcast business class router with a public IP assigned to each one.
Settings are as follows:
Router #1
Local Security Gateway Type : IP only (Static IP)
Local security group type: Subnet
Local IP: 192.168.1.0
Subnet: 255.255.255.0
Remote Security Gateway Type: IP (Static IP of remote RV042)
Local Security Group type: Subnet
Local IP: 192.168.2.0
Subnet: 255.255.255.0
IKE Preshared
Group 1 768Bit
DES/MD5/1
Phase 2:
Group1 768Bit
3DES/MD5/1
Keep Alive and Dead Peer are on.
Same for remote but flipped local and remote + statics.
Again the VPN is connected and active. Confirmed working by diagnostic remote pinging from gateway to remote client machine. however local client machine cannot ping or access remote and vise-versa.
Inside the router(s) I can use the diagnostics ping to ping anything on the remote network.
However neither network can converse with one another.
Both are on a static IP with no firewall and no NAT. Directly connected to a Comcast business class router with a public IP assigned to each one.
Settings are as follows:
Router #1
Local Security Gateway Type : IP only (Static IP)
Local security group type: Subnet
Local IP: 192.168.1.0
Subnet: 255.255.255.0
Remote Security Gateway Type: IP (Static IP of remote RV042)
Local Security Group type: Subnet
Local IP: 192.168.2.0
Subnet: 255.255.255.0
IKE Preshared
Group 1 768Bit
DES/MD5/1
Phase 2:
Group1 768Bit
3DES/MD5/1
Keep Alive and Dead Peer are on.
Same for remote but flipped local and remote + statics.
Again the VPN is connected and active. Confirmed working by diagnostic remote pinging from gateway to remote client machine. however local client machine cannot ping or access remote and vise-versa.
Henk van Achterberg
Did you enable the firewall and if so did you create a rule for the vpn?
ASKER
I have the firewall disabled. Should I enable it and create an access rule for the traffic? If so what should the rule be?
Thanks!
Thanks!
I don't think you can have both of them behind a router as you do. You can do it with *one* of them behind a router but not both .. when using for VPN terminations. Been there, done that. Somewhere there's a document that says this but I can't tell you where it is right now.
So, a better idea is to have at least one of them be the internet gateway with an external public ip address.
ASKER
Both of them are the internet gateway with an external IP address. the modem (comcast) had disable firewall for true static IP on.
Hmmmmmm.... I posted a reponse but it's not here.
You say: "neither network can converse with one another" so, if the tunnels are up then this suggests routing or firewall issues.
With the RV042s as the internet gateways then I presume that their LAN addresses are what the computers, etc. are pointed to as "gateway". Then routing to the tunnel should be internal to the RV042 without any other routing needed.
I have seen the lack of file sharing due to the Windows 7 firewall. So here are instructions I wrote to fix that for site-to-site file access on Windows 7 machines.
Windows-7-File-and-Printer-Shari.pdf
You say: "neither network can converse with one another" so, if the tunnels are up then this suggests routing or firewall issues.
With the RV042s as the internet gateways then I presume that their LAN addresses are what the computers, etc. are pointed to as "gateway". Then routing to the tunnel should be internal to the RV042 without any other routing needed.
I have seen the lack of file sharing due to the Windows 7 firewall. So here are instructions I wrote to fix that for site-to-site file access on Windows 7 machines.
Windows-7-File-and-Printer-Shari.pdf
ASKER
Thanks fmarshall,
I forgot to mention these are all on mac. By default they should not have a firewall. And I know that they are conversing because the remote router can ping the workstations.
I forgot to mention these are all on mac. By default they should not have a firewall. And I know that they are conversing because the remote router can ping the workstations.
Either they are "conversing" (whatever that means) or they are not "conversing" as you said in your original question posting. So, which is it? Please use more common terms like: "can't see shared files" "can't see shared or network printers", etc.
The other thing is name service. How are you trying to access shared files?
I'm not used to using Macs. With Windows there can be name service via NetBIOS. The RV042 VPNs can be set to either allow or not allow NetBIOS traffic. Normally I keep the NetBios traffic turned off and use IP addresses for access.
On a Windows machine:
Start / Run
\\10.10.10.10 ..... or whatever IP address I want to reach.
and then the shared folders open up in a Windows Explorer window.
So, you need to know how you're connecting.
If only the remote router can ping the remote computers then that means there is something left to configure.
What are the RV042 ip addresses on the LANs?
What are the computer ip address range on the LANs?
What happens if you run a traceroute from a PC to a remote PC?
I'm not used to using Macs. With Windows there can be name service via NetBIOS. The RV042 VPNs can be set to either allow or not allow NetBIOS traffic. Normally I keep the NetBios traffic turned off and use IP addresses for access.
On a Windows machine:
Start / Run
\\10.10.10.10 ..... or whatever IP address I want to reach.
and then the shared folders open up in a Windows Explorer window.
So, you need to know how you're connecting.
If only the remote router can ping the remote computers then that means there is something left to configure.
What are the RV042 ip addresses on the LANs?
What are the computer ip address range on the LANs?
What happens if you run a traceroute from a PC to a remote PC?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There should be no public addresses in the trace.
This suggests that the RV042 isn't routing into the tunnel - which puzzles me.
I don't recall having this issue with internet-based VPNs on the RV042.
But, I'd try this then:
On the RV042s do this:
First, look at the routing table
Setup / Advanced Routing at the bottom of the page: Show Routing Table
Now, I should think that the tunnel setup would have caught the subnets and put them in the routing table. They should already be there as:
Destination Subnet Default Gateway Hop Count Interface
192.168.2.0 255.255.255.0 192.168.1.0 x tunnelxx
well, something like that. I don't have one to look at right now.
My recollection is that the interface *will* show one of the tunnels if its set up.
I was going to suggest that you add a route. But because you need a tunnel to refer to then you should NOT have routes that say:
192.168.2.0 255.255.255.0 goes to the WAN interface!!
maybe that's what you have and then I'd suggest you remove it.
This suggests that the RV042 isn't routing into the tunnel - which puzzles me.
I don't recall having this issue with internet-based VPNs on the RV042.
But, I'd try this then:
On the RV042s do this:
First, look at the routing table
Setup / Advanced Routing at the bottom of the page: Show Routing Table
Now, I should think that the tunnel setup would have caught the subnets and put them in the routing table. They should already be there as:
Destination Subnet Default Gateway Hop Count Interface
192.168.2.0 255.255.255.0 192.168.1.0 x tunnelxx
well, something like that. I don't have one to look at right now.
My recollection is that the interface *will* show one of the tunnels if its set up.
I was going to suggest that you add a route. But because you need a tunnel to refer to then you should NOT have routes that say:
192.168.2.0 255.255.255.0 goes to the WAN interface!!
maybe that's what you have and then I'd suggest you remove it.
ASKER
Great answer, I had to do a little bit of work around but was able to get it up and running =)