Site to Site VPN using Linksys RV042

We've got an urgent problem.  We've got two sites, each with a T1 to the internet.  The main site has about 200 network devices hooked up to it, multiple subnets, wireless bridges linking some other remote sites together, etc.  Lots of stuff going on there.  We need to hook up a remote location through the internet via vpn so the remote site will be able to access the devices on the subnet at the main site.  We've got two Linksys RV042 VPN routers.  However, I don't know if these are going to do what we need to do.  After spending over an hour on the phone with Linksys, it appears the only way they will work is if we plug the Internet port on the Linksys VPN routers directly into the T1 routers on either side.  Now at the remote site, there will only be about 25 network devices and just one subnet, so it wouldn't be a big deal to have the T1 router plug into the linksys, then into their network switch.  But at the main location, the T1 router has all kinds of rules for port forwarding and routing all the subnets together.  There's no way we could plug the linksys in between the router and the rest of the network.  I don't even think the Linksys could handle that amount of routing and traffic anyway.  And if we plug the internet port on the RV042 and the lan port into the same switch at the main site, that seems to create some sort of looping problem, as I thought it might.  We can get the VPN link from site to site established but we can't access the local networks from either side.

So our problem is... we need to figure out how to link the two sites via vpn without disturbing the network at the main site.  The main location has a Cisco 2600 T1 router and the remote site has a Cisco 1700 T1 router.  Neither one has VPN capabilities as far as I can tell.  I was hoping we'd be able to just plug some kind of device into the switch at the main site and just have it create the bridge that way.  We've got three wireless links at this location that work that way, we just plug the wireless bridge into the switch on either side of the link and the networks are just all connected.  I thought the VPN could work the same way.  Any help on this would be greatly appreciated as we're under a time crunch to get this thing working asap.
LVL 1
tealnetAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
lrmooreConnect With a Mentor Commented:
Dagggum it...if it ain't one thing, it's another.  I think the idea to split the subnet and assign it to the E 1/0 / RV042 will work...
Try setting up a 2nd tunnel on the peer RV042, with peer ID 10.241.182.239

OR:

Change the e0/0 address mask:
     Ethernet 0/0
     ip address 64.1.246.34 255.255.255.248 secondary
   Ethernet 1/0
     ip address 64.1.246.41 255.255.255.248

RV042 = 64.1.246.42


0
 
lrmooreCommented:
The difference is that you must route between subnets, you are not simply bridging the two LAN's like with your wireless.

Routing seems to be the major issue besides trying to put both interfaces into the same switch. Let me see if I can diagram it out for you, what you are trying to accomplish

Main                                                                                      Remote
LAN switch--Firewall --switch----Router -------Internet ----------Router -----switch--Firewall- switch--LAN
                                     |  Wan Public IP                                                | Wan Public IP
                      LAN --\--RV042    ------------VPN Tunnel ------------------  RV042---/--LAN

This scenario assumes the following:
Each RV042 has a Public IP on the WAN interface
Each RV042 has a Private IP on the LAN interface
There is a firewall sandwiched between two switches at each site
You can't plug both interfaces of the RV042 into the same switch, unless you have separate VLAN's
The Routers are not doing NAT, the firewall is
The Firewall needs a route statement for the remote LAN pointing to the LAN IP of the RV042

If you don't have a firewall, and the router is doing all the NAT, then you need to create a separate VLAN for the WAN interface of the RV042 and map a static public IP address to it, and plug the LAN interface into the LAN switch.

If there is no firewall, and you are not doing NAT at the router and all internal hosts on both ends have public IP's, then we've got a lot more to talk about than making this VPN work...
0
 
tealnetAuthor Commented:
The router at the main site is doing NAT, there is no other firewall.  However, the switches at that site are not managed switches, so I cannot use those to create a VLAN.  However, at one of the remote locations, we do have managed switches.  That is on one of the bridged wireless connections.  I suppose I could put the linksys out there and setup the VLAN on that switch couldn't I?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
lrmooreCommented:
Hmmm.. let me think on this one for a while...

No firewall at main, how about remote? Is that router doing NAT, too?
0
 
tealnetAuthor Commented:
Right now the router at the remote site isn't doing anything really, the configuration is all default... it can do nat... but we planned on just letting the linksys vpn router handle everything since there's not going to be much stuff hooked up out there.
0
 
lrmooreCommented:
OK, well that side is easy, then...

Only one Ethernet interface on the Main site router?
That's still going to be a bugger...I've got my thinking cap on. I'll get back to you..
0
 
lrmooreCommented:
Your best bet long term may be to put in something like a PIX FW at the Main and use the Linksys at remote sites. I know the PIX-Linksys VPN works....
0
 
tealnetAuthor Commented:
Yah, only one ethernet interface on the main router... my biggest problem is I sort of need this link up and running by tomorrow afternoon.  I was only given two days to get this working... so it's not really my fault... but if I can at least get something working by tomorrow, lots of people will be very happy.

I had a thought, and maybe you could save me the trouble of trying this if you know it won't work.  I've got a Dell server out at the main site with dual nic's.  We're only using one nic right now on the private network that we want access to from the remote location.  So could I plug the internet port of the linksys into the second nic on the dell server then the linksys lan port into our switch and route it that way?  The second nic on the Dell has a public IP already assigned to it which is accessible from the internet... am I on the right track?
0
 
lrmooreCommented:
That could work....
Enable routing on it. Put a static route on your router that points to the Dell for the remote network..

Good thinking!

Another thought - any old linksys or dlink router from the local office supply would work just as well

  router----switch----RV042 WAN
                    |               |
                    |          Router2
                    |________ |
       
Router nat's pubilc IP to Rv042 WAN IP which is , say 192.168.122.22
RV042 has totally different network on LAN side, say 192.168.255.1
Router 2 (Dell server or little soho router) WAN side, 192.168.255.2
                                                            LAN side, 192.168.122.25
Router has a route for remote network, points to 192.168.122.25

This could work!                    
0
 
tealnetAuthor Commented:
I'll give this a shot tonight and let you know!  Thanks!!
0
 
lrmooreCommented:
How'd it turn out? Any luck?
0
 
tealnetAuthor Commented:
I got a little bit of a stay of execution... for about a week... but I haven't had a chance to try the router thing.  Actually the more I think about it, the more I don't think that will work.  Because the Linksys VPN router would end up being behind another router, like a little Linksys router.  So would the VPN router be able to link up with the other end being behind another router like that?
0
 
tealnetAuthor Commented:
It looks like I may just have to get a PIX 501... If I hooked that up between the main cisco T1 router and the rest of the network.. it should be able to handle network traffic for a couple hundred devices right?
0
 
lrmooreCommented:
The 501 is designed for SOHO <50 users
I would go with at least a PIX 515e for that many devices..

0
 
tealnetAuthor Commented:
Before I tell these folks that they're going to have to drop about $5k on a new router... is there any other devices that could do more of a VPN Bridge?  Kind of like we're doing with the wireless bridges.  We don't really need "routers".  Or is that the only way the vpn thing will work?
0
 
lrmooreCommented:
That's the only way a VPN works. It's a Layer 3 contraption..
You can get a PIX515, Restricted license, 3 10/100 interfaces for well under $3500. List price brand new is $3695
You can expect to pay 25-30% below list..somewhere like CDW
http://www.cdw.com/shop/products/default.aspx?EDC=368664

0
 
tealnetAuthor Commented:
True, I was looking at the unrestricted one... do it's not AS bad.

Back to these little linksys boxes... what if I put the Linksys VPN device at the main site into router mode instead of gateway mode.  Would that solve any problems?  Right now, I can get the VPN link established the way I have it hooked up.  The problem is, as soon as I set the IP address for the private interface to be the same as the network I'm plugging into, I get this loop and my cisco router starts having a heart attack because it's getting blasted with packets.  Would the router mode stop that from happening?
0
 
lrmooreCommented:
No. Router mode won't make any difference. The issue is that you have to have the same IP subnet on both ends the way you are using it. You can try putting it in place in direct line between the router and the switch, in router mode. This only requires moderate changes on the router since it's doing the NAT, or you can leave it in Gateway mode and double-nat. Same thing you're planning to do with a PIX. I'll bet it's got at least as much horsepower as the 501 and may serve just fine for the short time needed until you can get a more appropriate firewall in there..
0
 
lrmooreCommented:
It would be cheaper/easier to just get a NM-1E extra Ethernet port for the existing 2600 router and be done with it...
NM-1E list price is only $1000
probably find one on ebay for $100 or so...
0
 
tealnetAuthor Commented:
Ahh, that's a good idea... so I'd be able hook the linksys VPN device from the internet port into the second ethernet port on the router.. and hook one of the lan ports up into the main switch and everything should be okay?
0
 
lrmooreCommented:
You got it...
0
 
tealnetAuthor Commented:
Just picked one up on eBay for $119, brand new :)  Should be here by the end of the week and I'll see if I can get this thing working!
0
 
tealnetAuthor Commented:
Okay, so tell me if this is something I should start a new question about or if I'm just being a goof.... but I put the NM-1E card in and it's not showing up as an interface... am I missing something real simple.  I've got lights on the back... the link light is on (i have it connected to the linksys vpn router), but the act light is also on solid.

And yes, I shut off the power before putting the card in :)
0
 
lrmooreCommented:
What version IOS are you running?
Which exact model 2600? 2610, 2620?
0
 
tealnetAuthor Commented:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)

cisco 2620 (MPC860) processor (revision 0x600) with 26624K/6144K bytes of memory.
0
 
lrmooreCommented:
You might need 12.0(5) XK1 or 12.1(13a) or 12.1(5)T12
Do you have 8Mb flash? "sho flash" will tell you..
0
 
tealnetAuthor Commented:
System flash directory:
File  Length   Name/status
  1   4209848  c2600-i-mz.120-7.T
[4209912 bytes used, 4178696 available, 8388608 total]
8192K bytes of processor board System flash (Read/Write)


Should I just upgrade the IOS and see what happens?
0
 
lrmooreCommented:
Yes. Any of these versions should work
0
 
tealnetAuthor Commented:
I have never upgraded the IOS of a cisco device before.  Do we have to pay for these upgrades?  Cisco's web site won't let me download it without being a partner or something.
0
 
lrmooreCommented:
Is the router still under warranty? If so, you should be able to contact Cisco TAC and give them the serial number of the router and they should be able to get you a version of IOS that has the drivers for this module.

0
 
tealnetAuthor Commented:
No, we've had it for about 4 years.  I'm pretty sure it's not under warranty any more.
0
 
lrmooreCommented:
Oh, noooooooo, Mr. Billllllllllll....
I'll see what I can do to post it somewhere for you. Give me until this evening..
0
 
tealnetAuthor Commented:
Any luck?  I really appreciate your help with this...
0
 
lrmooreCommented:
Two images that you can try. Start with the  first "T" train image:

http://pcresq.dyndns.org/c2600-i-mz.121-5.T9.bin

If that doesn't work, try this one:
http://pcresq.dyndns.org/c2600-i-mz.121-25.bin
0
 
tealnetAuthor Commented:
I flashed it with that first one and it still doesn't show the additional interface, so I should try that second one now?
0
 
tealnetAuthor Commented:
Well I went ahead and loaded the second one and still no ethernet port is showing up in the interfaces or controllers...
0
 
lrmooreCommented:
Are you sure it was a new module? You might have been screwed...
0
 
lrmooreCommented:
0
 
tealnetAuthor Commented:
It said new.. it was sealed with all the special yellow stickers.. and the cisco info sticker on the box was sealed.... but i suppose this could be a bunk module... i'll try this one tonight and let you know what happens.
0
 
tealnetAuthor Commented:
I'm getting an error when i try to download that... page not found...
0
 
lrmooreCommented:
Try the link again....
0
 
tealnetAuthor Commented:
Man.. this is a bummer.. got that loaded but still nothing in the interfaces or controllers.... is there anything else that needs to be done to get that thing to show up... or should it just be there?
0
 
lrmooreCommented:
It should just be there. I went through Cisco's software advisor "find software compatible with my hardware", 2620 + NM-1E and these three IOS versions came right from there. If it doesn't show up, it may very well be bad hardware.

What does 'show ver' say?
0
 
tealnetAuthor Commented:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(19c), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 20-May-04 19:57 by cmong
Image text-base: 0x8000808C, data-base: 0x80A1857C

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

Router uptime is 47 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.122-19c.bin"
0
 
lrmooreCommented:
What about the rest of it where it lists all the hardware?
0
 
tealnetAuthor Commented:
oh, of course...

cisco 2620 (MPC860) processor (revision 0x600) with 28672K/4096K bytes of memory
.
Processor board ID JAD05250PHR (1312729995)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
0
 
lrmooreCommented:
It's just not seeing the board. I don't know what else to think other than that the module is defective...
0
 
tealnetAuthor Commented:
I think you may be right... I'll see how quickly I can get another here......
0
 
lrmooreCommented:
Are you sure you got the NM-1E full-sized module, or the WIC-1E palm-sized module? The WIC-1E won't work in a 2600 at all.
0
 
tealnetAuthor Commented:
No, it's the full size one that takes up that big slot.  I know the little one you're talking about, like the T1/CSU card.  I'm going to be talking to the guy I bought it from this morning.  He says he'll swap it for me.
0
 
lrmooreCommented:
Are you still working on this? Can we be of any more assistance?
Any  luck??
0
 
tealnetAuthor Commented:
I just got a working NM-1E installed tonight and will be trying to configure the VPN.  I'll let you know how it goes.
0
 
tealnetAuthor Commented:
Okay, so I've got the new Ethernet interface up.. the VPN is connected... but i'm getting traffic between the two networks... don't I need to add some sort of default route between the two interfaces in the router so it knows to route remote traffic trying to access the main network together?  Or should this just be working?
0
 
tealnetAuthor Commented:
I mean't to say I'm not getting traffic between the two networks...
0
 
lrmooreCommented:
Yes, you need to add a route on this router..

  ip route <remote subnet> mask <inside ip of RV042>

0
 
tealnetAuthor Commented:
I must be confused... or my brain is just fried from dealing with this for weeks... but should the Internet port... or the LAN port of the Linksys VPN be plugged into the new ethernet port in the main router?
0
 
lrmooreCommented:
        Internet
             |
          2600
   Eth0/0    Eth1/0
      |            |   WAN
  Switch     RV042
      |_______|   LAN

Here's just one way to do it. I'd have to see the complete 2600 config to make any other suggestions...
2600 can provide static NAT to RV042's WAN IP, and route statement for remote site:

Eth0/1 IP = 192.168.155.1/24
RV042 WAN IP = 192.168.155.2 /24
RV042 LAN IP = 192.168.122.2 /24  <== same subnet as Eth 0/0

   ip nat inside source static 192.168.155.2 <public ip>
   ip route <remote LAN subnet> 255.255.255.0 192.168.122.2

It really depends on how you currently have NAT setup and where/how you have the public IP's setup on the 2600..


0
 
tealnetAuthor Commented:
Right now the 2600 is doing NAT for all pc's on the main network.  Is there anything that needs to be configured on the new Ethernet interface to get it to work with this setup?  Right now I've just got an IP assigned to it.  Does it need to be in the NAT pool also?
0
 
lrmooreCommented:
No, it does  not have to be in the NAT pool, because you are going to assign a static nat ..
Just make sure that whatever subnet you assign to this ethernet interface and the RV042 WAN interface is not included in the nat rules as they go out the T1 interface...


example:

   ip access-list 1 permit 192.168.122.0 0.0.0.255  <-- does not include the .155.x subnet

   ip nat inside source list 1 interface Serial0/0 overload  <-- or "pool", whichever you are using.

   ip nat inside source static 192.168.155.2 1.2.3.4  <-- do you have a spare public IP that you can assign?
 



0
 
tealnetAuthor Commented:
I've got all that setup correctly and I have a free public IP that I've created a static NAT entry for.  But with it setup this way, I can't even establish the VPN connection.  I also can't ping the public IP address from the internet... like that static NAT entry isn't working.
0
 
lrmooreCommented:
Can you post your 2600 config?
Do you have any inbound access-lists that will prevent communications from the other public IP?
Did you permit icmp to the RV042 in its config? It may be disabled by default...

0
 
tealnetAuthor Commented:
no ip domain-lookup
ip dhcp excluded-address 10.241.185.200
!
ip dhcp pool pool185
   network 10.241.185.0 255.255.255.0
   default-router 10.241.185.200
   domain-name lasher
   dns-server 10.241.184.1
!
!
!
!
interface FastEthernet0/0
 description connected to EthernetLAN
 ip address 10.241.184.200 255.255.255.0 secondary
 ip address 192.168.10.1 255.255.255.0 secondary
 ip address 10.241.185.200 255.255.255.0 secondary
 ip address 64.1.246.34 255.255.255.240 secondary
 ip address 10.241.183.200 255.255.255.0
 ip access-group 119 in
 ip nat inside
 ip route-cache same-interface
 ip route-cache policy
 duplex auto
 speed auto
!
interface Serial0/0
 description connected to Internet
 ip address 67.109.42.202 255.255.255.252
 ip access-group 169 in
 ip access-group 169 out
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 no fair-queue
 service-module t1 remote-alarm-enable
!
interface Ethernet1/0
 ip address 10.241.182.1 255.255.255.0
 full-duplex
!
router rip
 version 2
 passive-interface Serial0/0
 network 10.0.0.0
 no auto-summary
!
ip nat pool Router-natpool-17 64.1.246.35 64.1.246.35 netmask 255.255.255.240
ip nat inside source list 1 pool Router-natpool-17 overload
ip nat inside source static tcp 10.241.185.1 5900 64.1.246.35 5900 extendable
ip nat inside source static tcp 10.241.185.1 5800 64.1.246.35 5800 extendable
ip nat inside source static tcp 10.241.183.1 23 64.1.246.35 23 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 10.241.186.0 255.255.255.0 10.241.183.30
no ip http server
ip http port 12337
!
access-list 1 permit 10.241.183.0 0.0.0.255
access-list 1 permit 10.241.184.0 0.0.0.255
access-list 1 permit 10.241.185.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 119 deny   icmp host 10.241.183.88 any echo
access-list 119 permit ip any any
access-list 119 deny   ip 192.168.10.0 0.0.0.255 10.241.183.0 0.0.0.255
access-list 119 deny   ip 192.168.10.0 0.0.0.255 10.241.184.0 0.0.0.255
access-list 119 deny   ip 192.168.10.0 0.0.0.255 10.241.185.0 0.0.0.255
access-list 119 permit ip 192.168.10.0 0.0.0.255 any
access-list 119 permit icmp host 10.241.183.88 any echo
snmp-server engineID local 000000090200000653C66720
snmp-server community public RO
snmp-server enable traps tty
!
                 
0
 
tealnetAuthor Commented:
I have made sure that ICMP packets are allowed on both RV042's
0
 
tealnetAuthor Commented:
Ooops.. that was a slight older copy... it's missing this:

ip nat inside source static 10.241.182.239 64.1.246.37
0
 
lrmooreCommented:
Well....oh dear... we have another "toad in the road"
I should have asked to see this config long time ago...

interface FastEthernet0/0
  ip address 64.1.246.34 255.255.255.240 secondary <-- because this subnet is applied to the Fast 0/0 interface, we may not be
                                                                                  able to static NAT over to another interface...
Q: do you actually have any devices with public IP address assigned on the inside LAN?
If no, then we need to simply remove that as a secondary before we can add a static
If yes, then we may just be able to assign the public IP directly to the WAN port of the RV042, with its default gateway .34
Keep the LAN port of the RV042 as it is, and keep the static route...
Or, split that subnet between the two interfaces:
   Ethernet 0/0
     ip address 64.1.246.34 255.255.255.248
   Ethernet 1/0
     ip address 64.1.246.41 255.255.255.248
And simply address the RV042 WAN port with 64.1.246.42 - no nat anywhere

interface Serial0/0
 description connected to Internet
 ip address 67.109.42.202 255.255.255.252
 ip access-group 169 in   <=== there is no access-list 169 defined!
 ip access-group 169 out

I don't see where you've tried to make the static:
   ip nat inside source static 10.242.182.2 64.1.246.36  <-- assuming that the WAN port of RV082 is 10.242.182.2, and .36 is your spare IP...

0
 
tealnetAuthor Commented:
The problem seems to be that the second Ethernet interface in the route cannot access the internet.  From the RV042 I cannot ping out to the internet.  I can ping the 2600 on any of it's IP's, but not the internet.
0
 
tealnetAuthor Commented:
Okay, I see what you're saying.  There's nothing on the inside of the network that needs a public IP.  Everything is private or NAT'd from the outside in (as you can see).  I will remove that entry and see what happens.
0
 
lrmooreCommented:
I think it's because of the interface overlap with that public ip block assigned to the Eth 0/0 interface
oh, oh, ...

add this?

 interface Ethernet 1/0
   ip nat inside  <---???  else it won't even try to use the static nat...

0
 
tealnetAuthor Commented:
Ah yes, I had that in there at one point.  Okay... so the static NAT is there, I removed that secondary public IP from Fa0/0 and now I can access the internet from the RV042 and I can ping it from the internet... so the static NAT appears to be directing traffic properly.  But the VPN connection cannot be established.
0
 
tealnetAuthor Commented:
This is what the VPN log says when I try to establish the link from the remote site:

Oct 12 12:40:56 2004     VPN Log    Main mode peer ID is ID_IPV4_ADDR: '10.241.182.239'  
Oct 12 12:40:56 2004     VPN Log    No suitable connection for peer '10.241.182.239', Please check Phase 1 ID value  


0
 
tealnetAuthor Commented:
It seems to have a problem with the static NAT:

We require peer to have ID '64.1.246.37', but peer declares '10.241.182.239'
0
 
tealnetAuthor Commented:
Okay, got that setup... VPN is connected... but no traffic between the two.  Can't even ping one RV042 router from another.
0
 
tealnetAuthor Commented:
But wait.. from the 2600 I can ping everthing on the remote network.....
0
 
tealnetAuthor Commented:
I can also ping the remote network from a pc on the main network... that's further than I ever got before!
0
 
lrmooreCommented:
And you have the RF042 LAN connected as 10.241.183.30?

And this is still in place? Assuming that .186. is the remote lan on the backside of the other RV042?
ip route 10.241.186.0 255.255.255.0 10.241.183.30

Try adding a static route on your PC just for testing:
  C:\>route add 10.241.186.0 mask 255.255.255.0 10.241.183.30


0
 
tealnetAuthor Commented:
WAIT.. the whole thing works!!! OMG!!  I think we've got it!!
0
 
tealnetAuthor Commented:
For some reason I can't ping from the RV042 routers themselves... but all the pc's on either side can communicate with each other.
0
 
tealnetAuthor Commented:
I can't thank you enough for all your help.  If there's any way to double the points, I would certainly request it.  You've been more than helpful.  This is such a load off my shoulders!  Thanks again, and again!
0
 
lrmooreCommented:
Wooooohooooo!!!!

Been a long road, but I'm glad it's working!

-Cheers!
0
 
tealnetAuthor Commented:
One more quick question... what if I want the remote network to be able to access some of those other subnets on the main network.  Like the 10.241.184.0 network.  They can't right now.
0
 
lrmooreCommented:
On the remote RV042, I would create a new tunnel - all the same parameters - for each subnet that you want to reach... that should be all you need to do.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.