Avatar of suply
suply
 asked on

How can I configure a site to site VPN with 2 cisco routers

Hello Experts-exchange,

Please need a step by step to set up a tunel site to site with 2 cisco linksys routers.


Thanks so much for your help

suply
VPN

Avatar of undefined
Last Comment
Syed_M_Usman

8/22/2022 - Mon
Syed_M_Usman

if your doest not support SDM and yuo are using CLI command you can use below link; simply execute commands as per your network (LAN IP-WAN IP)

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262

you can also take help from
http://www.routergeek.net/content/view/50/37/
Syed_M_Usman

if your router doest not support SDM and you are using CLI command you can use below link; simply execute commands as per your network (LAN IP-WAN IP)

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262

you can also take help from
http://www.routergeek.net/content/view/50/37/ 
suply

ASKER
Hello Syed M Usman,

Thank you for your response. Is it posible to get the information applied to Cisco Model RVS4000 routers site to site VPN Ipsec tunel set up.

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Syed_M_Usman

the commands will remain same.
Syed_M_Usman

sorry my Dear, you have Linksys Router (Cisco linksys). these commands will not work, i shall send you other configration
Syed_M_Usman

may i know what is your existing setup> i mean how RVS3000 is connected?

ISP-------->MODEM (acting as bridge)---------RVS4000 or ISP------->ADSL--------->RVS4000
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
suply

ASKER
Ok, basically if you could send me what I have to put here below. I have put the information the same on both sites but still no conection stablishes. I change the IPs remote local but dont know whats happening.

RVS 4000 set up window below:

IPSec VPN

Select Tunnel Entry:       
        
IPSec VPN Tunnel:        Enable   Disable
Tunnel Name:       

Local Group Setup
Local Security Gateway Type:       
Domain Name:       
IP address:       . . .
Local Security Group Type:       
IP Address:        . . .
Subnet Mask:        
255.255. .

Remote Group Setup
Remote Security Gateway Type:       
Domain Name:       
      
. . .
This Gateway accepts requests from any IP address.
Remote Security Group Type:       
IP Address:
      
. . .
This Gateway accepts requests from any IP address.
Subnet Mask:        
. . .

IPSec Setup

Keying Mode:       
Phase 1:
Encryption:       
Authentication:       
Group:       
Key Lifetime:       
  sec

Phase 2:
Encryption:       
Authentication:       
Perfect Forward Secrecy:       
Preshared Key:       
 
Group:       
Key Lifetime:       
  sec
Encryption Algorithm:       
(3DES: 24 ASCII)
Encryption Key:       
Authentication Algorithm:       
(MD5: 16 ASCII SHA1: 20 ASCII)
Authentication Key:       
Inbound SPI:       
          (HEX 100-FFFFFFFF)
Outbound SPI:       
          (HEX 100-FFFFFFFF)

Status
Down
suply

ASKER
Set up site A
**************
ADSL Modem->RVS4000 (a)->computer win xp

Set up site B
**************
ADSL Modem->RVS4000 (b)->computer winxp




Syed_M_Usman

make sure you have Public IP address on your WAN interface of RVS4000, or Gateway of RVS4000 fwd traffic to RVS4000 on both sides.
Try accessing remote gateway via public ip address, if suceed thean strat below steps,

Step 1:
Access the gateway's web-based setup page.

Step 2:
When the gateway's web-based setup page opens, click Security then click VPN.

Step 3:
Ensure that the:

•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Syed_M_Usman

have you tried accessing remote router via, https://routerip  ?
suply

ASKER
yes I can log remote to both routers from both sites ok.
Syed_M_Usman

have you tried

•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.

if still Tunnel is down, please upload VPN logs of any site
   

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
suply

ASKER
One question on the remote secure WAN/gateway on status page , the wan ip address has beside it a subnet mask of 255.255.224.0 but In the router VPN pageI have typed 255.255.255.0. Is this correct?
Syed_M_Usman

how many Public ip address do you have, look like 255.255.224.0 is wrong subnet? are you sure
the subnet should be same, can you try
tracert -d publicip from your computer and check is there any timeout or loop?
suply

ASKER
I only have one public ip for each site, no timeout or loop, good ip reply.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Syed_M_Usman

than use the same subnet what you got on your site wan address.
suply

ASKER
It wont let me change from 255.255.224.0 because then I get this message "Remote group and local canot be in the same network so I put 255.255.224.0

I have noticed that on the status page of the router, there is a public IP from the other site indicated on the ARP/RARP Table so I guess somehow the router has some type of conection with the other router.

I have checked all the rest of parameters and still status down and cant ping locally the other site.

Syed_M_Usman

1)what is your local wan subnet?
check your adsl devices and pest what subnet you are getting for both sides (without wan ip)  
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Syed_M_Usman

Dear two things
1) if your LAN ip is 192.168.10.1 255.255.255.0 , than your remote shpold not be same you can try other ip like, 192.168.11.1 255.255.255.0

2) if wan subnet is same, this should not trouble you, the wan ip should be unique.

please send me senitized screen shot of you lan and wan (only hide wan ip)
Syed_M_Usman

send me screen shot of your LAN, WAN, AND VPN ( before uploading please hide WAN IP)of both devices so i can post you correct configration + send me logs of your devices so i can understand whats happening.
suply

ASKER
Ok, this is how I have it configured, I had to type it dont know how to send you the screen shot

*** SITE A ROUTER***
Ipsec VPN tunnel: Enabled
LOCAL GROUP SETUP
****************************
Local security gateway: IP ONLY
IP address: 186.91.10.10
Local security group type: subnet
IP address: 192.168.10.1
subnet mask: 255.255.255.0
REMOTE GROUP SETUP
****************************
remote sesecurity gateway type: IP only
IP address: 186.91.112.45
remote security group type: subnet
IP address: 192.168.11.1
subent mask: 255.255.255.0
IPSEC SETUP
***************
Keing mode: IKE with Preshared Key
Phase1
Encryption: 3DES
Authentication: MD5
Group 768 bit
keylifetime: 28800 sec
Phase2
Encryption 3DES
Authentication MD5
Preshared key: 1234567890
group 768 bit
key lifetime 3600
encryption algorythm 3DES
Encryption key (blank)
authentication algorythm MD5
Authentication key (blank)
inbound sp 0
outbound sp 0



For site B router all is the same except I change local Ip address and Remote to match the A router.

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Syed_M_Usman

reset your router to factory default and do folwoing configration

Logon to RVS4000 (Site A)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)

Local Group Setup
Local Security Setup-----------IPONLY
IP Address---------------------192.168.10.0
Subnet Mask--------------------255.255.255.0

Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)

IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800

PHASE2

ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXXXXX
GROUP-----------1024
KEY LIFE--------XXXXX

connect
---------------------------------------------------
Logon to RVS4000 (Site B)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)

Local Group Setup
Local Security Setup-----------IPONLY
IP Address---------------------192.168.11.0
Subnet Mask--------------------255.255.255.0

Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)

IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800

PHASE2

ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXXXXX
GROUP-----------1024
KEY LIFE--------XXXXX

connect


Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
ASKER CERTIFIED SOLUTION
Syed_M_Usman

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
suply

ASKER
I have done all as indicated above but cant connect. Im thinking of changing routers. Could you please recomend 2 routers brand and model I could purchase that are simple to configure a VPN.

Thanks
Syed_M_Usman

Since you are unable to connect, i would prefer not to assign point regardless your hardware working or not.

if you have limited budget you can go with Cisco 800 series router (Depend on availiblity), if you have little more you can order any entry level firewall (Sonicwall-TZ series)

website: http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare
live demo :http://livedemo.sonicwall.com/livedemo.html#html_UTM

if you can order Sonicwall TZ210, this could be the best option,
1- in router Cost you will have Firewall,IPS,Gateway Anti Virus
2- you will have VPN + SSL + Global Vpn Client

sometimes sonicwall offer buy back, so once you think you want to upgrade you can exchange your firewall with newer model (This offer depends customer to customer, country to country).

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
suply

ASKER
Thanks Syed_M_Usman, I appreciate your advise.

Best regards
Syed_M_Usman

if you dont mind can you logon to your Router >VPN , press print screen button and send to me please.
 
Syed_M_Usman

you are welcome :)
Your help has saved me hundreds of hours of internet surfing.
fblack61
suply

ASKER
Ok, this is the config for router A.
site-1-router-up.jpg
site-1-router-down.jpg
Syed_M_Usman

site A look fine, what about Site B?
suply

ASKER
Site B is the same I changed only the local and remote IPs to mach the A router. All firewalls are off and stil no conection. I think it has to do with hardware malfunction, I ll try with hamachi vpn and sonicwall

Thanks again.,
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Syed_M_Usman

ok, feel free to ask.
in phase 1 you can try with SHA1 instead of MD5.