We help IT Professionals succeed at work.

How can I configure a site to site VPN with 2 cisco routers

suply
suply asked
on
726 Views
Last Modified: 2012-05-11
Hello Experts-exchange,

Please need a step by step to set up a tunel site to site with 2 cisco linksys routers.


Thanks so much for your help

suply
Comment
Watch Question

Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
if your doest not support SDM and yuo are using CLI command you can use below link; simply execute commands as per your network (LAN IP-WAN IP)

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262

you can also take help from
http://www.routergeek.net/content/view/50/37/
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
if your router doest not support SDM and you are using CLI command you can use below link; simply execute commands as per your network (LAN IP-WAN IP)

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262

you can also take help from
http://www.routergeek.net/content/view/50/37/ 

Author

Commented:
Hello Syed M Usman,

Thank you for your response. Is it posible to get the information applied to Cisco Model RVS4000 routers site to site VPN Ipsec tunel set up.

Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
the commands will remain same.
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
sorry my Dear, you have Linksys Router (Cisco linksys). these commands will not work, i shall send you other configration
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
may i know what is your existing setup> i mean how RVS3000 is connected?

ISP-------->MODEM (acting as bridge)---------RVS4000 or ISP------->ADSL--------->RVS4000

Author

Commented:
Ok, basically if you could send me what I have to put here below. I have put the information the same on both sites but still no conection stablishes. I change the IPs remote local but dont know whats happening.

RVS 4000 set up window below:

IPSec VPN

Select Tunnel Entry:       
        
IPSec VPN Tunnel:        Enable   Disable
Tunnel Name:       

Local Group Setup
Local Security Gateway Type:       
Domain Name:       
IP address:       . . .
Local Security Group Type:       
IP Address:        . . .
Subnet Mask:        
255.255. .

Remote Group Setup
Remote Security Gateway Type:       
Domain Name:       
      
. . .
This Gateway accepts requests from any IP address.
Remote Security Group Type:       
IP Address:
      
. . .
This Gateway accepts requests from any IP address.
Subnet Mask:        
. . .

IPSec Setup

Keying Mode:       
Phase 1:
Encryption:       
Authentication:       
Group:       
Key Lifetime:       
  sec

Phase 2:
Encryption:       
Authentication:       
Perfect Forward Secrecy:       
Preshared Key:       
 
Group:       
Key Lifetime:       
  sec
Encryption Algorithm:       
(3DES: 24 ASCII)
Encryption Key:       
Authentication Algorithm:       
(MD5: 16 ASCII SHA1: 20 ASCII)
Authentication Key:       
Inbound SPI:       
          (HEX 100-FFFFFFFF)
Outbound SPI:       
          (HEX 100-FFFFFFFF)

Status
Down

Author

Commented:
Set up site A
**************
ADSL Modem->RVS4000 (a)->computer win xp

Set up site B
**************
ADSL Modem->RVS4000 (b)->computer winxp




Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
make sure you have Public IP address on your WAN interface of RVS4000, or Gateway of RVS4000 fwd traffic to RVS4000 on both sides.
Try accessing remote gateway via public ip address, if suceed thean strat below steps,

Step 1:
Access the gateway's web-based setup page.

Step 2:
When the gateway's web-based setup page opens, click Security then click VPN.

Step 3:
Ensure that the:

•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.

Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
have you tried accessing remote router via, https://routerip  ?

Author

Commented:
yes I can log remote to both routers from both sites ok.
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
have you tried

•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.

if still Tunnel is down, please upload VPN logs of any site
   

Author

Commented:
One question on the remote secure WAN/gateway on status page , the wan ip address has beside it a subnet mask of 255.255.224.0 but In the router VPN pageI have typed 255.255.255.0. Is this correct?
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
how many Public ip address do you have, look like 255.255.224.0 is wrong subnet? are you sure
the subnet should be same, can you try
tracert -d publicip from your computer and check is there any timeout or loop?

Author

Commented:
I only have one public ip for each site, no timeout or loop, good ip reply.
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
than use the same subnet what you got on your site wan address.

Author

Commented:
It wont let me change from 255.255.224.0 because then I get this message "Remote group and local canot be in the same network so I put 255.255.224.0

I have noticed that on the status page of the router, there is a public IP from the other site indicated on the ARP/RARP Table so I guess somehow the router has some type of conection with the other router.

I have checked all the rest of parameters and still status down and cant ping locally the other site.

Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
1)what is your local wan subnet?
check your adsl devices and pest what subnet you are getting for both sides (without wan ip)  
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
Dear two things
1) if your LAN ip is 192.168.10.1 255.255.255.0 , than your remote shpold not be same you can try other ip like, 192.168.11.1 255.255.255.0

2) if wan subnet is same, this should not trouble you, the wan ip should be unique.

please send me senitized screen shot of you lan and wan (only hide wan ip)
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
send me screen shot of your LAN, WAN, AND VPN ( before uploading please hide WAN IP)of both devices so i can post you correct configration + send me logs of your devices so i can understand whats happening.

Author

Commented:
Ok, this is how I have it configured, I had to type it dont know how to send you the screen shot

*** SITE A ROUTER***
Ipsec VPN tunnel: Enabled
LOCAL GROUP SETUP
****************************
Local security gateway: IP ONLY
IP address: 186.91.10.10
Local security group type: subnet
IP address: 192.168.10.1
subnet mask: 255.255.255.0
REMOTE GROUP SETUP
****************************
remote sesecurity gateway type: IP only
IP address: 186.91.112.45
remote security group type: subnet
IP address: 192.168.11.1
subent mask: 255.255.255.0
IPSEC SETUP
***************
Keing mode: IKE with Preshared Key
Phase1
Encryption: 3DES
Authentication: MD5
Group 768 bit
keylifetime: 28800 sec
Phase2
Encryption 3DES
Authentication MD5
Preshared key: 1234567890
group 768 bit
key lifetime 3600
encryption algorythm 3DES
Encryption key (blank)
authentication algorythm MD5
Authentication key (blank)
inbound sp 0
outbound sp 0



For site B router all is the same except I change local Ip address and Remote to match the A router.

Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
reset your router to factory default and do folwoing configration

Logon to RVS4000 (Site A)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)

Local Group Setup
Local Security Setup-----------IPONLY
IP Address---------------------192.168.10.0
Subnet Mask--------------------255.255.255.0

Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)

IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800

PHASE2

ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXXXXX
GROUP-----------1024
KEY LIFE--------XXXXX

connect
---------------------------------------------------
Logon to RVS4000 (Site B)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)

Local Group Setup
Local Security Setup-----------IPONLY
IP Address---------------------192.168.11.0
Subnet Mask--------------------255.255.255.0

Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)

IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800

PHASE2

ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXXXXX
GROUP-----------1024
KEY LIFE--------XXXXX

connect


Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
System Administrator
CERTIFIED EXPERT
Top Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I have done all as indicated above but cant connect. Im thinking of changing routers. Could you please recomend 2 routers brand and model I could purchase that are simple to configure a VPN.

Thanks
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
Since you are unable to connect, i would prefer not to assign point regardless your hardware working or not.

if you have limited budget you can go with Cisco 800 series router (Depend on availiblity), if you have little more you can order any entry level firewall (Sonicwall-TZ series)

website: http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare
live demo :http://livedemo.sonicwall.com/livedemo.html#html_UTM

if you can order Sonicwall TZ210, this could be the best option,
1- in router Cost you will have Firewall,IPS,Gateway Anti Virus
2- you will have VPN + SSL + Global Vpn Client

sometimes sonicwall offer buy back, so once you think you want to upgrade you can exchange your firewall with newer model (This offer depends customer to customer, country to country).

Author

Commented:
Thanks Syed_M_Usman, I appreciate your advise.

Best regards
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
if you dont mind can you logon to your Router >VPN , press print screen button and send to me please.
 
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
you are welcome :)

Author

Commented:
Ok, this is the config for router A.
site-1-router-up.jpg
site-1-router-down.jpg
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
site A look fine, what about Site B?

Author

Commented:
Site B is the same I changed only the local and remote IPs to mach the A router. All firewalls are off and stil no conection. I think it has to do with hardware malfunction, I ll try with hamachi vpn and sonicwall

Thanks again.,
Syed_M_UsmanSystem Administrator
CERTIFIED EXPERT
Top Expert 2011

Commented:
ok, feel free to ask.
in phase 1 you can try with SHA1 instead of MD5.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.