Solved

Site to Site VPN using Linksys RV042

Posted on 2004-09-17
81
13,733 Views
Last Modified: 2011-08-18
We've got an urgent problem.  We've got two sites, each with a T1 to the internet.  The main site has about 200 network devices hooked up to it, multiple subnets, wireless bridges linking some other remote sites together, etc.  Lots of stuff going on there.  We need to hook up a remote location through the internet via vpn so the remote site will be able to access the devices on the subnet at the main site.  We've got two Linksys RV042 VPN routers.  However, I don't know if these are going to do what we need to do.  After spending over an hour on the phone with Linksys, it appears the only way they will work is if we plug the Internet port on the Linksys VPN routers directly into the T1 routers on either side.  Now at the remote site, there will only be about 25 network devices and just one subnet, so it wouldn't be a big deal to have the T1 router plug into the linksys, then into their network switch.  But at the main location, the T1 router has all kinds of rules for port forwarding and routing all the subnets together.  There's no way we could plug the linksys in between the router and the rest of the network.  I don't even think the Linksys could handle that amount of routing and traffic anyway.  And if we plug the internet port on the RV042 and the lan port into the same switch at the main site, that seems to create some sort of looping problem, as I thought it might.  We can get the VPN link from site to site established but we can't access the local networks from either side.

So our problem is... we need to figure out how to link the two sites via vpn without disturbing the network at the main site.  The main location has a Cisco 2600 T1 router and the remote site has a Cisco 1700 T1 router.  Neither one has VPN capabilities as far as I can tell.  I was hoping we'd be able to just plug some kind of device into the switch at the main site and just have it create the bridge that way.  We've got three wireless links at this location that work that way, we just plug the wireless bridge into the switch on either side of the link and the networks are just all connected.  I thought the VPN could work the same way.  Any help on this would be greatly appreciated as we're under a time crunch to get this thing working asap.
0
Comment
Question by:tealnet
  • 46
  • 35
81 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12088876
The difference is that you must route between subnets, you are not simply bridging the two LAN's like with your wireless.

Routing seems to be the major issue besides trying to put both interfaces into the same switch. Let me see if I can diagram it out for you, what you are trying to accomplish

Main                                                                                      Remote
LAN switch--Firewall --switch----Router -------Internet ----------Router -----switch--Firewall- switch--LAN
                                     |  Wan Public IP                                                | Wan Public IP
                      LAN --\--RV042    ------------VPN Tunnel ------------------  RV042---/--LAN

This scenario assumes the following:
Each RV042 has a Public IP on the WAN interface
Each RV042 has a Private IP on the LAN interface
There is a firewall sandwiched between two switches at each site
You can't plug both interfaces of the RV042 into the same switch, unless you have separate VLAN's
The Routers are not doing NAT, the firewall is
The Firewall needs a route statement for the remote LAN pointing to the LAN IP of the RV042

If you don't have a firewall, and the router is doing all the NAT, then you need to create a separate VLAN for the WAN interface of the RV042 and map a static public IP address to it, and plug the LAN interface into the LAN switch.

If there is no firewall, and you are not doing NAT at the router and all internal hosts on both ends have public IP's, then we've got a lot more to talk about than making this VPN work...
0
 
LVL 1

Author Comment

by:tealnet
ID: 12088939
The router at the main site is doing NAT, there is no other firewall.  However, the switches at that site are not managed switches, so I cannot use those to create a VLAN.  However, at one of the remote locations, we do have managed switches.  That is on one of the bridged wireless connections.  I suppose I could put the linksys out there and setup the VLAN on that switch couldn't I?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12089129
Hmmm.. let me think on this one for a while...

No firewall at main, how about remote? Is that router doing NAT, too?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12089197
Right now the router at the remote site isn't doing anything really, the configuration is all default... it can do nat... but we planned on just letting the linksys vpn router handle everything since there's not going to be much stuff hooked up out there.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12089297
OK, well that side is easy, then...

Only one Ethernet interface on the Main site router?
That's still going to be a bugger...I've got my thinking cap on. I'll get back to you..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12089308
Your best bet long term may be to put in something like a PIX FW at the Main and use the Linksys at remote sites. I know the PIX-Linksys VPN works....
0
 
LVL 1

Author Comment

by:tealnet
ID: 12089333
Yah, only one ethernet interface on the main router... my biggest problem is I sort of need this link up and running by tomorrow afternoon.  I was only given two days to get this working... so it's not really my fault... but if I can at least get something working by tomorrow, lots of people will be very happy.

I had a thought, and maybe you could save me the trouble of trying this if you know it won't work.  I've got a Dell server out at the main site with dual nic's.  We're only using one nic right now on the private network that we want access to from the remote location.  So could I plug the internet port of the linksys into the second nic on the dell server then the linksys lan port into our switch and route it that way?  The second nic on the Dell has a public IP already assigned to it which is accessible from the internet... am I on the right track?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12089383
That could work....
Enable routing on it. Put a static route on your router that points to the Dell for the remote network..

Good thinking!

Another thought - any old linksys or dlink router from the local office supply would work just as well

  router----switch----RV042 WAN
                    |               |
                    |          Router2
                    |________ |
       
Router nat's pubilc IP to Rv042 WAN IP which is , say 192.168.122.22
RV042 has totally different network on LAN side, say 192.168.255.1
Router 2 (Dell server or little soho router) WAN side, 192.168.255.2
                                                            LAN side, 192.168.122.25
Router has a route for remote network, points to 192.168.122.25

This could work!                    
0
 
LVL 1

Author Comment

by:tealnet
ID: 12089402
I'll give this a shot tonight and let you know!  Thanks!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12101715
How'd it turn out? Any luck?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12102765
I got a little bit of a stay of execution... for about a week... but I haven't had a chance to try the router thing.  Actually the more I think about it, the more I don't think that will work.  Because the Linksys VPN router would end up being behind another router, like a little Linksys router.  So would the VPN router be able to link up with the other end being behind another router like that?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12113529
It looks like I may just have to get a PIX 501... If I hooked that up between the main cisco T1 router and the rest of the network.. it should be able to handle network traffic for a couple hundred devices right?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12113817
The 501 is designed for SOHO <50 users
I would go with at least a PIX 515e for that many devices..

0
 
LVL 1

Author Comment

by:tealnet
ID: 12113862
Before I tell these folks that they're going to have to drop about $5k on a new router... is there any other devices that could do more of a VPN Bridge?  Kind of like we're doing with the wireless bridges.  We don't really need "routers".  Or is that the only way the vpn thing will work?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12113940
That's the only way a VPN works. It's a Layer 3 contraption..
You can get a PIX515, Restricted license, 3 10/100 interfaces for well under $3500. List price brand new is $3695
You can expect to pay 25-30% below list..somewhere like CDW
http://www.cdw.com/shop/products/default.aspx?EDC=368664

0
 
LVL 1

Author Comment

by:tealnet
ID: 12114265
True, I was looking at the unrestricted one... do it's not AS bad.

Back to these little linksys boxes... what if I put the Linksys VPN device at the main site into router mode instead of gateway mode.  Would that solve any problems?  Right now, I can get the VPN link established the way I have it hooked up.  The problem is, as soon as I set the IP address for the private interface to be the same as the network I'm plugging into, I get this loop and my cisco router starts having a heart attack because it's getting blasted with packets.  Would the router mode stop that from happening?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114464
No. Router mode won't make any difference. The issue is that you have to have the same IP subnet on both ends the way you are using it. You can try putting it in place in direct line between the router and the switch, in router mode. This only requires moderate changes on the router since it's doing the NAT, or you can leave it in Gateway mode and double-nat. Same thing you're planning to do with a PIX. I'll bet it's got at least as much horsepower as the 501 and may serve just fine for the short time needed until you can get a more appropriate firewall in there..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114504
It would be cheaper/easier to just get a NM-1E extra Ethernet port for the existing 2600 router and be done with it...
NM-1E list price is only $1000
probably find one on ebay for $100 or so...
0
 
LVL 1

Author Comment

by:tealnet
ID: 12114576
Ahh, that's a good idea... so I'd be able hook the linksys VPN device from the internet port into the second ethernet port on the router.. and hook one of the lan ports up into the main switch and everything should be okay?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12114786
You got it...
0
 
LVL 1

Author Comment

by:tealnet
ID: 12116159
Just picked one up on eBay for $119, brand new :)  Should be here by the end of the week and I'll see if I can get this thing working!
0
 
LVL 1

Author Comment

by:tealnet
ID: 12148241
Okay, so tell me if this is something I should start a new question about or if I'm just being a goof.... but I put the NM-1E card in and it's not showing up as an interface... am I missing something real simple.  I've got lights on the back... the link light is on (i have it connected to the linksys vpn router), but the act light is also on solid.

And yes, I shut off the power before putting the card in :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12148262
What version IOS are you running?
Which exact model 2600? 2610, 2620?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12148385
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)

cisco 2620 (MPC860) processor (revision 0x600) with 26624K/6144K bytes of memory.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12148538
You might need 12.0(5) XK1 or 12.1(13a) or 12.1(5)T12
Do you have 8Mb flash? "sho flash" will tell you..
0
 
LVL 1

Author Comment

by:tealnet
ID: 12148579
System flash directory:
File  Length   Name/status
  1   4209848  c2600-i-mz.120-7.T
[4209912 bytes used, 4178696 available, 8388608 total]
8192K bytes of processor board System flash (Read/Write)


Should I just upgrade the IOS and see what happens?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12148928
Yes. Any of these versions should work
0
 
LVL 1

Author Comment

by:tealnet
ID: 12155851
I have never upgraded the IOS of a cisco device before.  Do we have to pay for these upgrades?  Cisco's web site won't let me download it without being a partner or something.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12171017
Is the router still under warranty? If so, you should be able to contact Cisco TAC and give them the serial number of the router and they should be able to get you a version of IOS that has the drivers for this module.

0
 
LVL 1

Author Comment

by:tealnet
ID: 12171565
No, we've had it for about 4 years.  I'm pretty sure it's not under warranty any more.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12172298
Oh, noooooooo, Mr. Billllllllllll....
I'll see what I can do to post it somewhere for you. Give me until this evening..
0
 
LVL 1

Author Comment

by:tealnet
ID: 12184185
Any luck?  I really appreciate your help with this...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12184294
Two images that you can try. Start with the  first "T" train image:

http://pcresq.dyndns.org/c2600-i-mz.121-5.T9.bin

If that doesn't work, try this one:
http://pcresq.dyndns.org/c2600-i-mz.121-25.bin
0
 
LVL 1

Author Comment

by:tealnet
ID: 12184754
I flashed it with that first one and it still doesn't show the additional interface, so I should try that second one now?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12185720
Well I went ahead and loaded the second one and still no ethernet port is showing up in the interfaces or controllers...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12185944
Are you sure it was a new module? You might have been screwed...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12186038
0
 
LVL 1

Author Comment

by:tealnet
ID: 12186096
It said new.. it was sealed with all the special yellow stickers.. and the cisco info sticker on the box was sealed.... but i suppose this could be a bunk module... i'll try this one tonight and let you know what happens.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12186105
I'm getting an error when i try to download that... page not found...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12186207
Try the link again....
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:tealnet
ID: 12186344
Man.. this is a bummer.. got that loaded but still nothing in the interfaces or controllers.... is there anything else that needs to be done to get that thing to show up... or should it just be there?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12186378
It should just be there. I went through Cisco's software advisor "find software compatible with my hardware", 2620 + NM-1E and these three IOS versions came right from there. If it doesn't show up, it may very well be bad hardware.

What does 'show ver' say?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12186402
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(19c), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 20-May-04 19:57 by cmong
Image text-base: 0x8000808C, data-base: 0x80A1857C

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

Router uptime is 47 minutes
System returned to ROM by reload
System image file is "flash:c2600-i-mz.122-19c.bin"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12186427
What about the rest of it where it lists all the hardware?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12186443
oh, of course...

cisco 2620 (MPC860) processor (revision 0x600) with 28672K/4096K bytes of memory
.
Processor board ID JAD05250PHR (1312729995)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12186463
It's just not seeing the board. I don't know what else to think other than that the module is defective...
0
 
LVL 1

Author Comment

by:tealnet
ID: 12186466
I think you may be right... I'll see how quickly I can get another here......
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12189300
Are you sure you got the NM-1E full-sized module, or the WIC-1E palm-sized module? The WIC-1E won't work in a 2600 at all.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12190540
No, it's the full size one that takes up that big slot.  I know the little one you're talking about, like the T1/CSU card.  I'm going to be talking to the guy I bought it from this morning.  He says he'll swap it for me.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280430
Are you still working on this? Can we be of any more assistance?
Any  luck??
0
 
LVL 1

Author Comment

by:tealnet
ID: 12283736
I just got a working NM-1E installed tonight and will be trying to configure the VPN.  I'll let you know how it goes.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12283969
Okay, so I've got the new Ethernet interface up.. the VPN is connected... but i'm getting traffic between the two networks... don't I need to add some sort of default route between the two interfaces in the router so it knows to route remote traffic trying to access the main network together?  Or should this just be working?
0
 
LVL 1

Author Comment

by:tealnet
ID: 12283989
I mean't to say I'm not getting traffic between the two networks...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12285950
Yes, you need to add a route on this router..

  ip route <remote subnet> mask <inside ip of RV042>

0
 
LVL 1

Author Comment

by:tealnet
ID: 12290522
I must be confused... or my brain is just fried from dealing with this for weeks... but should the Internet port... or the LAN port of the Linksys VPN be plugged into the new ethernet port in the main router?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12290674
        Internet
             |
          2600
   Eth0/0    Eth1/0
      |            |   WAN
  Switch     RV042
      |_______|   LAN

Here's just one way to do it. I'd have to see the complete 2600 config to make any other suggestions...
2600 can provide static NAT to RV042's WAN IP, and route statement for remote site:

Eth0/1 IP = 192.168.155.1/24
RV042 WAN IP = 192.168.155.2 /24
RV042 LAN IP = 192.168.122.2 /24  <== same subnet as Eth 0/0

   ip nat inside source static 192.168.155.2 <public ip>
   ip route <remote LAN subnet> 255.255.255.0 192.168.122.2

It really depends on how you currently have NAT setup and where/how you have the public IP's setup on the 2600..


0
 
LVL 1

Author Comment

by:tealnet
ID: 12291121
Right now the 2600 is doing NAT for all pc's on the main network.  Is there anything that needs to be configured on the new Ethernet interface to get it to work with this setup?  Right now I've just got an IP assigned to it.  Does it need to be in the NAT pool also?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12291300
No, it does  not have to be in the NAT pool, because you are going to assign a static nat ..
Just make sure that whatever subnet you assign to this ethernet interface and the RV042 WAN interface is not included in the nat rules as they go out the T1 interface...


example:

   ip access-list 1 permit 192.168.122.0 0.0.0.255  <-- does not include the .155.x subnet

   ip nat inside source list 1 interface Serial0/0 overload  <-- or "pool", whichever you are using.

   ip nat inside source static 192.168.155.2 1.2.3.4  <-- do you have a spare public IP that you can assign?
 



0
 
LVL 1

Author Comment

by:tealnet
ID: 12291401
I've got all that setup correctly and I have a free public IP that I've created a static NAT entry for.  But with it setup this way, I can't even establish the VPN connection.  I also can't ping the public IP address from the internet... like that static NAT entry isn't working.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12291508
Can you post your 2600 config?
Do you have any inbound access-lists that will prevent communications from the other public IP?
Did you permit icmp to the RV042 in its config? It may be disabled by default...

0
 
LVL 1

Author Comment

by:tealnet
ID: 12291556
no ip domain-lookup
ip dhcp excluded-address 10.241.185.200
!
ip dhcp pool pool185
   network 10.241.185.0 255.255.255.0
   default-router 10.241.185.200
   domain-name lasher
   dns-server 10.241.184.1
!
!
!
!
interface FastEthernet0/0
 description connected to EthernetLAN
 ip address 10.241.184.200 255.255.255.0 secondary
 ip address 192.168.10.1 255.255.255.0 secondary
 ip address 10.241.185.200 255.255.255.0 secondary
 ip address 64.1.246.34 255.255.255.240 secondary
 ip address 10.241.183.200 255.255.255.0
 ip access-group 119 in
 ip nat inside
 ip route-cache same-interface
 ip route-cache policy
 duplex auto
 speed auto
!
interface Serial0/0
 description connected to Internet
 ip address 67.109.42.202 255.255.255.252
 ip access-group 169 in
 ip access-group 169 out
 ip nat outside
 encapsulation ppp
 no ip mroute-cache
 no fair-queue
 service-module t1 remote-alarm-enable
!
interface Ethernet1/0
 ip address 10.241.182.1 255.255.255.0
 full-duplex
!
router rip
 version 2
 passive-interface Serial0/0
 network 10.0.0.0
 no auto-summary
!
ip nat pool Router-natpool-17 64.1.246.35 64.1.246.35 netmask 255.255.255.240
ip nat inside source list 1 pool Router-natpool-17 overload
ip nat inside source static tcp 10.241.185.1 5900 64.1.246.35 5900 extendable
ip nat inside source static tcp 10.241.185.1 5800 64.1.246.35 5800 extendable
ip nat inside source static tcp 10.241.183.1 23 64.1.246.35 23 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 10.241.186.0 255.255.255.0 10.241.183.30
no ip http server
ip http port 12337
!
access-list 1 permit 10.241.183.0 0.0.0.255
access-list 1 permit 10.241.184.0 0.0.0.255
access-list 1 permit 10.241.185.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 119 deny   icmp host 10.241.183.88 any echo
access-list 119 permit ip any any
access-list 119 deny   ip 192.168.10.0 0.0.0.255 10.241.183.0 0.0.0.255
access-list 119 deny   ip 192.168.10.0 0.0.0.255 10.241.184.0 0.0.0.255
access-list 119 deny   ip 192.168.10.0 0.0.0.255 10.241.185.0 0.0.0.255
access-list 119 permit ip 192.168.10.0 0.0.0.255 any
access-list 119 permit icmp host 10.241.183.88 any echo
snmp-server engineID local 000000090200000653C66720
snmp-server community public RO
snmp-server enable traps tty
!
                 
0
 
LVL 1

Author Comment

by:tealnet
ID: 12291569
I have made sure that ICMP packets are allowed on both RV042's
0
 
LVL 1

Author Comment

by:tealnet
ID: 12291633
Ooops.. that was a slight older copy... it's missing this:

ip nat inside source static 10.241.182.239 64.1.246.37
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12291713
Well....oh dear... we have another "toad in the road"
I should have asked to see this config long time ago...

interface FastEthernet0/0
  ip address 64.1.246.34 255.255.255.240 secondary <-- because this subnet is applied to the Fast 0/0 interface, we may not be
                                                                                  able to static NAT over to another interface...
Q: do you actually have any devices with public IP address assigned on the inside LAN?
If no, then we need to simply remove that as a secondary before we can add a static
If yes, then we may just be able to assign the public IP directly to the WAN port of the RV042, with its default gateway .34
Keep the LAN port of the RV042 as it is, and keep the static route...
Or, split that subnet between the two interfaces:
   Ethernet 0/0
     ip address 64.1.246.34 255.255.255.248
   Ethernet 1/0
     ip address 64.1.246.41 255.255.255.248
And simply address the RV042 WAN port with 64.1.246.42 - no nat anywhere

interface Serial0/0
 description connected to Internet
 ip address 67.109.42.202 255.255.255.252
 ip access-group 169 in   <=== there is no access-list 169 defined!
 ip access-group 169 out

I don't see where you've tried to make the static:
   ip nat inside source static 10.242.182.2 64.1.246.36  <-- assuming that the WAN port of RV082 is 10.242.182.2, and .36 is your spare IP...

0
 
LVL 1

Author Comment

by:tealnet
ID: 12291722
The problem seems to be that the second Ethernet interface in the route cannot access the internet.  From the RV042 I cannot ping out to the internet.  I can ping the 2600 on any of it's IP's, but not the internet.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12291733
Okay, I see what you're saying.  There's nothing on the inside of the network that needs a public IP.  Everything is private or NAT'd from the outside in (as you can see).  I will remove that entry and see what happens.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12291745
I think it's because of the interface overlap with that public ip block assigned to the Eth 0/0 interface
oh, oh, ...

add this?

 interface Ethernet 1/0
   ip nat inside  <---???  else it won't even try to use the static nat...

0
 
LVL 1

Author Comment

by:tealnet
ID: 12291806
Ah yes, I had that in there at one point.  Okay... so the static NAT is there, I removed that secondary public IP from Fa0/0 and now I can access the internet from the RV042 and I can ping it from the internet... so the static NAT appears to be directing traffic properly.  But the VPN connection cannot be established.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12291820
This is what the VPN log says when I try to establish the link from the remote site:

Oct 12 12:40:56 2004     VPN Log    Main mode peer ID is ID_IPV4_ADDR: '10.241.182.239'  
Oct 12 12:40:56 2004     VPN Log    No suitable connection for peer '10.241.182.239', Please check Phase 1 ID value  


0
 
LVL 1

Author Comment

by:tealnet
ID: 12291844
It seems to have a problem with the static NAT:

We require peer to have ID '64.1.246.37', but peer declares '10.241.182.239'
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12291882
Dagggum it...if it ain't one thing, it's another.  I think the idea to split the subnet and assign it to the E 1/0 / RV042 will work...
Try setting up a 2nd tunnel on the peer RV042, with peer ID 10.241.182.239

OR:

Change the e0/0 address mask:
     Ethernet 0/0
     ip address 64.1.246.34 255.255.255.248 secondary
   Ethernet 1/0
     ip address 64.1.246.41 255.255.255.248

RV042 = 64.1.246.42


0
 
LVL 1

Author Comment

by:tealnet
ID: 12291974
Okay, got that setup... VPN is connected... but no traffic between the two.  Can't even ping one RV042 router from another.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12291986
But wait.. from the 2600 I can ping everthing on the remote network.....
0
 
LVL 1

Author Comment

by:tealnet
ID: 12291998
I can also ping the remote network from a pc on the main network... that's further than I ever got before!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12292006
And you have the RF042 LAN connected as 10.241.183.30?

And this is still in place? Assuming that .186. is the remote lan on the backside of the other RV042?
ip route 10.241.186.0 255.255.255.0 10.241.183.30

Try adding a static route on your PC just for testing:
  C:\>route add 10.241.186.0 mask 255.255.255.0 10.241.183.30


0
 
LVL 1

Author Comment

by:tealnet
ID: 12292013
WAIT.. the whole thing works!!! OMG!!  I think we've got it!!
0
 
LVL 1

Author Comment

by:tealnet
ID: 12292025
For some reason I can't ping from the RV042 routers themselves... but all the pc's on either side can communicate with each other.
0
 
LVL 1

Author Comment

by:tealnet
ID: 12292073
I can't thank you enough for all your help.  If there's any way to double the points, I would certainly request it.  You've been more than helpful.  This is such a load off my shoulders!  Thanks again, and again!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12292131
Wooooohooooo!!!!

Been a long road, but I'm glad it's working!

-Cheers!
0
 
LVL 1

Author Comment

by:tealnet
ID: 12293254
One more quick question... what if I want the remote network to be able to access some of those other subnets on the main network.  Like the 10.241.184.0 network.  They can't right now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12294160
On the remote RV042, I would create a new tunnel - all the same parameters - for each subnet that you want to reach... that should be all you need to do.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now