Solved

Gateway to gateway VPN not connecting

Posted on 2014-10-30
37
570 Views
Last Modified: 2014-11-02
I'm trying to connect a location with a Cisco RV042 router, to a branch that has a Cisco RV180.
A standard gateway to gateway VPN, with a twist: in both locations I have an ADSL router and the two Ciscos are behind them. I can't switch the ADSL routers to bridge mode, so I put the Ciscos in DMZ and forwarded ports 500 and 4500. I've enabled NAT traversal in RV042, could not find the option in the RV180.

Tried for a few hours to make them connect, no joy. Can you please look at the configuration and see if you spot an error? From the logs, looks like phase 1 completes successfully, then phase 2 never finishes.

I had to use a FQDN (dyndns domains) because the IPs on the routers are not public (the public IPs are on the ADSL routers).

RV042 setupRV042 logRV 180 setup phase 1RV180 phase 2RV180 log
0
Comment
Question by:Dan Craciun
  • 15
  • 13
  • 9
37 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 300 total points
ID: 40414579
I have never used DMZ on these boxes to connect IPsec VPN. I am not sure if it will work.

I use the first setup variable in Local Group as IP address and then the Local external IP address on both ends. I have a Cisco RV042 and use RV220 as well.

Otherwise the local internal setups an IKE setup looks OK and similar to my own (NOT in DMZ however).

You might try with / without Aggressive and with / without NAT Traversal. Keep track of your settings and trials.

I always turn Dead Peer Detect ON.
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 200 total points
ID: 40414589
A standard gateway to gateway VPN, with a twist: in both locations I have an ADSL router and the two Ciscos are behind them. I can't switch the ADSL routers to bridge mode, so I put the Ciscos in DMZ and forwarded ports 500 and 4500. I've enabled NAT traversal in RV042, could not find the option in the RV180.

My bet is that this is the problem.  
RV042 doesn't do what you might think it does on the DMZ port.  But, I'm sorry I don't remember all the particulars.
Also, you can run ONE RV042 behind NAT and, so, not at both ends of the VPN.
So, if you can set one of those modems in bridge mode, that should be sufficient.

1) Get away from the DMZ ports.
2) Put one of the modems in bridge mode so you can have a public IP address on the RV042 and turn on IPSEC passthrough on that device (or the ports as you've done to the privately-addressed RV042.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40414608
Yes, and that is why I posted the External specifics in my post.  I think you have to do that.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40414629
I was not referring to the DMZs on the Ciscos. On the Huawei routers I've setup the IP of the RV042 and RV180 as the DMZ IP.

The topology is as follows:
LAN1                           - RV042 -                HUAWEI ADSL         -- INTERNET --         HUAWEI ADSL              - RV180 -        
192.168.1.0   192.168.1.1 10.0.1.2     10.0.1.1 12.34.56.78                              12.34.56.79 10.0.2.1   10.0.2.2 192.168.2.1

dmz on the huawei modem
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40414644
The topology overlaps so it is a bit hard to read.

VPN needs external addressing on both ends. You have it only on one end. I do not think it can connect (at I least I have never seen it connect that way in about a decade of use).
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40414704
Is this better?
 topology
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40414709
I can see it better. Put the external IP 12.34.56.78 in each RV router on each end.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40414717
That would be ideal. Putting both ADSL routers in bridge mode. But 2 hours with the ISP's support and they keep saying it can't be done (new Telekom policy - the ISP - you can no longer put the modem/routers in bridge mode, if you need something beyond NAT you need to buy the equipment from them).
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40414796
I have seen this before. I have to pay a monthly upcharge for my Nokia CS18 USB key to use VPN. I do not see another way, because the way you portray the topology, the VPN endpoints have no idea what to do.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40415082
As I said earlier:
Also, you can run ONE RV042 behind NAT and, so, not at both ends of the VPN.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417349
I've moved the RV042 on another network to prove to the client that the ISP is the problem. I've configured a VPN group on the RV042 and I'm using Shrew Soft's VPN client.
The client connects without any problem, I can ping and access the remote router, but not the computers behind it (192.168.1.x). The ping fails, the names do not resolve. What am I missing?

configuration
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40417360
The ping fails, the names do not resolve. What am I missing?

Make sure the subnets on both ends are different 192.168.1.x is very common. I try to avoid this on the business (remote) end because people often have .1 as their home office subnet.

Names do not resolve probably because DNS is not set up. I access services by IP address or by putting the domain name in the local HOSTS file.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40417380
This is an entirely different situation with a VPN client.  So, I'm not sure which problem you're looking at now.
Still needing the site-to-site VPN?

I agree with John.  You need to assure different subnets.  I will use something like 192.168.191.0 at the site subnet so that there is little chance that an external subnet will be the same.  Something like 10.91.82.0 would likely be even better as there are even more combinations and the 10.xxx.xxx.0 subnets aren't as likely as the 192.168.xxx.0 subnets in homes, offices, hotspots.  Your current office subnet is much too common to allow general client VPN success.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417405
No chance for overlap. The computer I'm on now is on a 10.0.1.x network. The remote router is on a 192.168.1.x network. The VPN client is set to use 192.168.30.10 IP.

I have an identical setup at another clients'. And there I can ping and browse the computers behind the router.
The only difference is the working one uses an older model of RV042 (before the Linksys acquisition).

The problem is still a gateway to gateway network, but the ISP's agent insisted that the problem is my router, not their network. So instead of moving both routers on other locations, I've configured a client to gateway network, showed it does not connect while on Telekom's network, then moved the RV042 on another location, with another ISP (UPC) and connected to it without touching the VPN settings.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40417422
I wonder a couple of things out of a fair bit of ignorance:

- Are you sure the VPN client you're using can be supported on an RV042?  I had no luck when I tried this with a number of clients.  But, that was some time ago.

- Have you tried an email address method for the Remote Client Setup?  I don't know what kind of Domain Names are acceptable.  Or maybe you have to use dyndns??  Anyway, some of the instructions say you need a "registered" domain name.  And, if you have dynamic public IP addresses, you probably need to use dyndns anyway.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40417426
Same Huwawei router in the test that works?

Still, don't expect a pair of RV042s to work without one of them having a public IP.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40417428
Good points. I have used Shrew Soft but it requires changes in the router setup that I am not altogether familiar with. We have dumped Shrew Soft and use NCP Secure Entry instead. The router set up is more vanilla with NCP. I have done this.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417431
>>Are you sure the VPN client you're using can be supported on an RV042?
Yup. Like I said, I already have an identical setup that is working, only on an older version of router (which in theory should not matter).

>>Have you tried an email address method for the Remote Client Setup?
Nope. I simply duplicated the working setup (working for a few years now), thinking it should work. And it does (I can ping and connect to the router using the web interface), just not after the router. I've tried disabling the firewall on the router and adding a new rule to allow traffic on WAN1, but no joy.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417432
No Huawei router now. On the UPC network the RV042 is directly connected to the Internet, with a static IP.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40417485
???? I thought you said that it worked OK without the Telekom router and with another router somewhere?
So now it doesn't work without a router at all?
Sorry that I'm confused.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417495
The setup that is not working is here ID: 40414704.
The Huawei modem/routers are Telekom's.

I've moved a single RV042 to another location, with another ISP (UPC). I'm connecting to it from yet another location (UPC also).
What I'm trying to prove is that the reason the VPN is not working on Telekom is the Huawei routers.

Let me know if this clarifies things a bit.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417498
@John: >> I have used Shrew Soft but it requires changes in the router setup
You can find the detailed how-to here: https://www.shrew.net/support/Howto_Linksys
I've tested it and it works. And once you create a connection, just export the vpn file and email it to all those that need it (changing the IP, of course).

I'm using Shrew Soft's client because it's free if you don't need AD.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40417514
NCP is not free but also does not need AD.  I know Shrew Soft works, but we moved away from it because NCP was easier and works in double NAT situations that Shrew Soft and Juniper clients do not.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40417527
You can go here:

https://www.ncp-e.com/en/products/ipsec-vpn-client-suite.html

and download trial software. I did that and they helped me connect at which point I licensed it.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417564
Tried NCP, same result. Cannot ping computers behind the router.

And I think I know why. See the routing table:
routing tableAs you can see, for 192.168.30.3 (my client), the default gateway is 10.0.0.1. It should be 192.168.1.1.
How can I change it?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 300 total points
ID: 40417585
In the same table on my RG042G, I just see the other end internal IP and my external IP.

Have you tried removing all the tunnels, resetting your RV042 and setting it up again. The extra routes seem to be left overs.

Did you press the Clear button?
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417610
I'm not in the same location with the router, so I'm going to reset it tomorrow, to see if the problem is resolved.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40417638
Yes, and if the RV180 is anything like the RV042 then you can't have *both* of them behind NAT as with the two Huwaei / Telekom routers.
You certainly can't have two RV042s supporting a VPN when they are *both* behind NAT.
Could that be the issue here?
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417687
I'm doing a test now, and the RV042 is no longer behind NAT.

But to show the client that the test is successful I need to ping/access the devices behind the RV042.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40417690
With a vanilla tunnel setup (some of the settings you posted look similar to mine) that should not be a problem.

See if you can access the router to manage it if you need to make changes.

https:\\192.168.1.1 or whatever address.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40417694
I can access the router through the VPN tunnel without any problem. But if I delete the tunnel and reset the router I'll no longer be able to access it (I'm not in the same location as the router).
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40417697
You can clear the routing table, but I am not sure if that deletes the tunnel, so you might wish to wait until you are at the router just in case.
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40418499
I had to do 3 things to make it work:
1. disable the firewall on a station behind the RV042
2. reset the router to factory settings
3. recreate the tunnel.

After that, it worked. So I added an exception on the firewall in the stations behind the router and the test is complete: I can ping and access shares using the VPN tunnel. I can show the client that the problem was the Telekom Huawei routers.

The rest depends on the client: if he wants to keep the provider he'll need a more expensive plan. If not, there are other ISPs here.

Thanks John and fmarshall.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40418503
Hi Dan. Thanks for the update and I was happy to help. Good luck going forward and let us know if we can further assist.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40418506
Thanks!
Did you end up with both RVs behind NAT?
0
 
LVL 34

Author Comment

by:Dan Craciun
ID: 40418511
For the moment yes, the RVs are both behind NAT and the VPN is not working using that setup. I did a test with one of them connected directly to the internet (a different location, with a different ISP) and the VPN works.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40418573
Other than not knowing the RV180, that seems to support the notion that it is working the same as a pair of RV042s.
And, that you can't do that (have both behind NAT - but only one).

It's unfortunate to have an ISP that can't deliver a public IP address!!  I would likely call that "unacceptable" in many situations.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now