Gateway to gateway VPN not connecting

I'm trying to connect a location with a Cisco RV042 router, to a branch that has a Cisco RV180.
A standard gateway to gateway VPN, with a twist: in both locations I have an ADSL router and the two Ciscos are behind them. I can't switch the ADSL routers to bridge mode, so I put the Ciscos in DMZ and forwarded ports 500 and 4500. I've enabled NAT traversal in RV042, could not find the option in the RV180.

Tried for a few hours to make them connect, no joy. Can you please look at the configuration and see if you spot an error? From the logs, looks like phase 1 completes successfully, then phase 2 never finishes.

I had to use a FQDN (dyndns domains) because the IPs on the routers are not public (the public IPs are on the ADSL routers).

RV042 setupRV042 logRV 180 setup phase 1RV180 phase 2RV180 log
LVL 35
Dan CraciunIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I have never used DMZ on these boxes to connect IPsec VPN. I am not sure if it will work.

I use the first setup variable in Local Group as IP address and then the Local external IP address on both ends. I have a Cisco RV042 and use RV220 as well.

Otherwise the local internal setups an IKE setup looks OK and similar to my own (NOT in DMZ however).

You might try with / without Aggressive and with / without NAT Traversal. Keep track of your settings and trials.

I always turn Dead Peer Detect ON.
0
Fred MarshallPrincipalCommented:
A standard gateway to gateway VPN, with a twist: in both locations I have an ADSL router and the two Ciscos are behind them. I can't switch the ADSL routers to bridge mode, so I put the Ciscos in DMZ and forwarded ports 500 and 4500. I've enabled NAT traversal in RV042, could not find the option in the RV180.

My bet is that this is the problem.  
RV042 doesn't do what you might think it does on the DMZ port.  But, I'm sorry I don't remember all the particulars.
Also, you can run ONE RV042 behind NAT and, so, not at both ends of the VPN.
So, if you can set one of those modems in bridge mode, that should be sufficient.

1) Get away from the DMZ ports.
2) Put one of the modems in bridge mode so you can have a public IP address on the RV042 and turn on IPSEC passthrough on that device (or the ports as you've done to the privately-addressed RV042.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Yes, and that is why I posted the External specifics in my post.  I think you have to do that.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Dan CraciunIT ConsultantAuthor Commented:
I was not referring to the DMZs on the Ciscos. On the Huawei routers I've setup the IP of the RV042 and RV180 as the DMZ IP.

The topology is as follows:
LAN1                           - RV042 -                HUAWEI ADSL         -- INTERNET --         HUAWEI ADSL              - RV180 -        
192.168.1.0   192.168.1.1 10.0.1.2     10.0.1.1 12.34.56.78                              12.34.56.79 10.0.2.1   10.0.2.2 192.168.2.1

dmz on the huawei modem
0
JohnBusiness Consultant (Owner)Commented:
The topology overlaps so it is a bit hard to read.

VPN needs external addressing on both ends. You have it only on one end. I do not think it can connect (at I least I have never seen it connect that way in about a decade of use).
0
Dan CraciunIT ConsultantAuthor Commented:
Is this better?
 topology
0
JohnBusiness Consultant (Owner)Commented:
I can see it better. Put the external IP 12.34.56.78 in each RV router on each end.
0
Dan CraciunIT ConsultantAuthor Commented:
That would be ideal. Putting both ADSL routers in bridge mode. But 2 hours with the ISP's support and they keep saying it can't be done (new Telekom policy - the ISP - you can no longer put the modem/routers in bridge mode, if you need something beyond NAT you need to buy the equipment from them).
0
JohnBusiness Consultant (Owner)Commented:
I have seen this before. I have to pay a monthly upcharge for my Nokia CS18 USB key to use VPN. I do not see another way, because the way you portray the topology, the VPN endpoints have no idea what to do.
0
Fred MarshallPrincipalCommented:
As I said earlier:
Also, you can run ONE RV042 behind NAT and, so, not at both ends of the VPN.
0
Dan CraciunIT ConsultantAuthor Commented:
I've moved the RV042 on another network to prove to the client that the ISP is the problem. I've configured a VPN group on the RV042 and I'm using Shrew Soft's VPN client.
The client connects without any problem, I can ping and access the remote router, but not the computers behind it (192.168.1.x). The ping fails, the names do not resolve. What am I missing?

configuration
0
JohnBusiness Consultant (Owner)Commented:
The ping fails, the names do not resolve. What am I missing?

Make sure the subnets on both ends are different 192.168.1.x is very common. I try to avoid this on the business (remote) end because people often have .1 as their home office subnet.

Names do not resolve probably because DNS is not set up. I access services by IP address or by putting the domain name in the local HOSTS file.
0
Fred MarshallPrincipalCommented:
This is an entirely different situation with a VPN client.  So, I'm not sure which problem you're looking at now.
Still needing the site-to-site VPN?

I agree with John.  You need to assure different subnets.  I will use something like 192.168.191.0 at the site subnet so that there is little chance that an external subnet will be the same.  Something like 10.91.82.0 would likely be even better as there are even more combinations and the 10.xxx.xxx.0 subnets aren't as likely as the 192.168.xxx.0 subnets in homes, offices, hotspots.  Your current office subnet is much too common to allow general client VPN success.
0
Dan CraciunIT ConsultantAuthor Commented:
No chance for overlap. The computer I'm on now is on a 10.0.1.x network. The remote router is on a 192.168.1.x network. The VPN client is set to use 192.168.30.10 IP.

I have an identical setup at another clients'. And there I can ping and browse the computers behind the router.
The only difference is the working one uses an older model of RV042 (before the Linksys acquisition).

The problem is still a gateway to gateway network, but the ISP's agent insisted that the problem is my router, not their network. So instead of moving both routers on other locations, I've configured a client to gateway network, showed it does not connect while on Telekom's network, then moved the RV042 on another location, with another ISP (UPC) and connected to it without touching the VPN settings.
0
Fred MarshallPrincipalCommented:
I wonder a couple of things out of a fair bit of ignorance:

- Are you sure the VPN client you're using can be supported on an RV042?  I had no luck when I tried this with a number of clients.  But, that was some time ago.

- Have you tried an email address method for the Remote Client Setup?  I don't know what kind of Domain Names are acceptable.  Or maybe you have to use dyndns??  Anyway, some of the instructions say you need a "registered" domain name.  And, if you have dynamic public IP addresses, you probably need to use dyndns anyway.
0
Fred MarshallPrincipalCommented:
Same Huwawei router in the test that works?

Still, don't expect a pair of RV042s to work without one of them having a public IP.
0
JohnBusiness Consultant (Owner)Commented:
Good points. I have used Shrew Soft but it requires changes in the router setup that I am not altogether familiar with. We have dumped Shrew Soft and use NCP Secure Entry instead. The router set up is more vanilla with NCP. I have done this.
0
Dan CraciunIT ConsultantAuthor Commented:
>>Are you sure the VPN client you're using can be supported on an RV042?
Yup. Like I said, I already have an identical setup that is working, only on an older version of router (which in theory should not matter).

>>Have you tried an email address method for the Remote Client Setup?
Nope. I simply duplicated the working setup (working for a few years now), thinking it should work. And it does (I can ping and connect to the router using the web interface), just not after the router. I've tried disabling the firewall on the router and adding a new rule to allow traffic on WAN1, but no joy.
0
Dan CraciunIT ConsultantAuthor Commented:
No Huawei router now. On the UPC network the RV042 is directly connected to the Internet, with a static IP.
0
Fred MarshallPrincipalCommented:
???? I thought you said that it worked OK without the Telekom router and with another router somewhere?
So now it doesn't work without a router at all?
Sorry that I'm confused.
0
Dan CraciunIT ConsultantAuthor Commented:
The setup that is not working is here ID: 40414704.
The Huawei modem/routers are Telekom's.

I've moved a single RV042 to another location, with another ISP (UPC). I'm connecting to it from yet another location (UPC also).
What I'm trying to prove is that the reason the VPN is not working on Telekom is the Huawei routers.

Let me know if this clarifies things a bit.
0
Dan CraciunIT ConsultantAuthor Commented:
@John: >> I have used Shrew Soft but it requires changes in the router setup
You can find the detailed how-to here: https://www.shrew.net/support/Howto_Linksys
I've tested it and it works. And once you create a connection, just export the vpn file and email it to all those that need it (changing the IP, of course).

I'm using Shrew Soft's client because it's free if you don't need AD.
0
JohnBusiness Consultant (Owner)Commented:
NCP is not free but also does not need AD.  I know Shrew Soft works, but we moved away from it because NCP was easier and works in double NAT situations that Shrew Soft and Juniper clients do not.
0
JohnBusiness Consultant (Owner)Commented:
You can go here:

https://www.ncp-e.com/en/products/ipsec-vpn-client-suite.html

and download trial software. I did that and they helped me connect at which point I licensed it.
0
Dan CraciunIT ConsultantAuthor Commented:
Tried NCP, same result. Cannot ping computers behind the router.

And I think I know why. See the routing table:
routing tableAs you can see, for 192.168.30.3 (my client), the default gateway is 10.0.0.1. It should be 192.168.1.1.
How can I change it?
0
JohnBusiness Consultant (Owner)Commented:
In the same table on my RG042G, I just see the other end internal IP and my external IP.

Have you tried removing all the tunnels, resetting your RV042 and setting it up again. The extra routes seem to be left overs.

Did you press the Clear button?
0
Dan CraciunIT ConsultantAuthor Commented:
I'm not in the same location with the router, so I'm going to reset it tomorrow, to see if the problem is resolved.
0
Fred MarshallPrincipalCommented:
Yes, and if the RV180 is anything like the RV042 then you can't have *both* of them behind NAT as with the two Huwaei / Telekom routers.
You certainly can't have two RV042s supporting a VPN when they are *both* behind NAT.
Could that be the issue here?
0
Dan CraciunIT ConsultantAuthor Commented:
I'm doing a test now, and the RV042 is no longer behind NAT.

But to show the client that the test is successful I need to ping/access the devices behind the RV042.
0
JohnBusiness Consultant (Owner)Commented:
With a vanilla tunnel setup (some of the settings you posted look similar to mine) that should not be a problem.

See if you can access the router to manage it if you need to make changes.

https:\\192.168.1.1 or whatever address.
0
Dan CraciunIT ConsultantAuthor Commented:
I can access the router through the VPN tunnel without any problem. But if I delete the tunnel and reset the router I'll no longer be able to access it (I'm not in the same location as the router).
0
JohnBusiness Consultant (Owner)Commented:
You can clear the routing table, but I am not sure if that deletes the tunnel, so you might wish to wait until you are at the router just in case.
0
Dan CraciunIT ConsultantAuthor Commented:
I had to do 3 things to make it work:
1. disable the firewall on a station behind the RV042
2. reset the router to factory settings
3. recreate the tunnel.

After that, it worked. So I added an exception on the firewall in the stations behind the router and the test is complete: I can ping and access shares using the VPN tunnel. I can show the client that the problem was the Telekom Huawei routers.

The rest depends on the client: if he wants to keep the provider he'll need a more expensive plan. If not, there are other ISPs here.

Thanks John and fmarshall.
0
JohnBusiness Consultant (Owner)Commented:
Hi Dan. Thanks for the update and I was happy to help. Good luck going forward and let us know if we can further assist.
0
Fred MarshallPrincipalCommented:
Thanks!
Did you end up with both RVs behind NAT?
0
Dan CraciunIT ConsultantAuthor Commented:
For the moment yes, the RVs are both behind NAT and the VPN is not working using that setup. I did a test with one of them connected directly to the internet (a different location, with a different ISP) and the VPN works.
0
Fred MarshallPrincipalCommented:
Other than not knowing the RV180, that seems to support the notion that it is working the same as a pair of RV042s.
And, that you can't do that (have both behind NAT - but only one).

It's unfortunate to have an ISP that can't deliver a public IP address!!  I would likely call that "unacceptable" in many situations.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.