No connection when setting up VPN between 2 cisco devices RV320 when one device is behind another router.


i am trying to create a vpn-tunnel between 2 cisco devices (RV320). My problem is, that one of the devices is behind another router. Because of the ISP there we have to use this router.
Here the details:

network A:
router A:

network B (behind another router):
router B:

I set up WAN of the cisco B to static IP with and gateway to

I think the problem is that the vpn-settings don´t allow to change the "local ip". It is automaticaly set to
But without another router between cisco and internet there is normally the ip provided to the router from ISP.

Please help me what to setting i have to change. Both sides always say "waiting for connection".
Firewall is disabled, ports (UDP 500, UDP 4500, ESP, TCP10000) re forwarded to from Router B.

Thanks for helping me

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I have an RV325 with tunnels to Juniper devices and 1 RV082 box. At the RV325

Local IP: 198.168.x.1 easily settable.
Local External IP: 99.x.x.x
Local External Gateway: 99.x.x.1  (both set by ISP)
DNS:  As set by ISP
Local DHCP: 192.168.x.100 - 149
Firewall: All enabled: Remote Management on port 443

Tunnel Setup:

Interface: WAN 1
Local group setup:
Type: IP Only
IP Address: External not settable
Local security type: Subnet
IP Address: 192.168.x.0
Subnet Mask:

Remote group setup:
Remote Gateway Type: IP Only
IP Address: Other end IP
Remote Security Group: Subnet
IP address: 192.168.z.0

IPsec Setup
IKE Pre-share
Phase 1: Group 2, 3DES, SHA1 or greater
PFS not enabled
Phase 2: Group 2, 3DES, SHA1 or greater

Pre-shared key: enter key

Aggressive mode: no
Compress: no
Keep Alive: yes
AH Hash: no
Net Bios broadcast: no
NAT Traversal: varies, often yes for me
Dead Peer Detect: yes 10 seconds.
loosainAuthor Commented:
I tried to set up with dyndns: The log says:

[g2gips0]: [Tunnel Disconnected]
JohnBusiness Consultant (Owner)Commented:
Try again with DynDNS and check all the settings I gave you.

Try also without DynDNS
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

loosainAuthor Commented:
I set everything like you... Is there any chance to get more information. "tunnel disconnected" is not helping much to find the problem...
loosainAuthor Commented:
i just tried to switch the remote group gateway type to "ip only" and used "IP by DNS resolved".
Now i get a new error:

      [g2gips0] #126: [Tunnel Authorize Fail] malformed payload in packet
JohnBusiness Consultant (Owner)Commented:
Set up Logging, restart the router, attempt to make a connection and look in the System Error Messages. What do these tell you.

I gave you one end. Is the IP Sec setup at the other end the same as the local end (except for IP addressing)?
JohnBusiness Consultant (Owner)Commented:
It sounds like a basic connection issue. Check System Error messages as I suggested.
loosainAuthor Commented:
i tried this, but no success...
So i switched back to "dynamic ip + domain name auth"
With thisi have to use aggressive mode.

Both endpoints have same settings (except of ip).

Error log only says: [g2gips0]: [Tunnel Disconnected]

Irritating is that the cisco A with the static ip shows for the remote gateway under the dyndns fqdn.

Maybe this is the problem ?
JohnBusiness Consultant (Owner)Commented:
Remote gateway cannot be !   Try resetting both ends and setting up without DynDNS.
loosainAuthor Commented:
Seems that the cisco cant resolve the ip. But if i resolve the ip from diagnostic in the device it resolves the right ip.

The other cisco is behind  of another router. Is it possible to setup dyndns if the cisco isn´t making the dialup. I only setup static ip for WAN.

Cisco A --static IP ------ web ------ Static IP --- Router --- static local IP---Cisco B ---- x.x.x.x ---web ---- y.y.y.y --- --- (WAN ip)
JohnBusiness Consultant (Owner)Commented:
I set up for Static IP address and have no difficulty making a connection. --- (WAN ip)  <-- I do not understand this. My local IP is 192.168.x.1. There is no 254 address.

1. Did you try resetting your RV325 to factory settings?
2. Did you set up logging and what messages do you have in the System Error message log?
JohnBusiness Consultant (Owner)Commented:
The device IP should be the Gateway as well. There is no separate Gateway address.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
loosainAuthor Commented:
Found the error !!!
In the one router there was an old port forwarding for ipsec used ports to a none existing nas... This makes the vpn to timeout for missing pakets...
JohnBusiness Consultant (Owner)Commented:
Thanks for the update. I was happy to help and glad you found the issue.
Ray ValenciaIT AdministratorCommented:
Hi Sir,

Can you help me regarding Cisco RV320 Gateway to Gateway VPN Setup

Im always get error

[g2gips0]#7: [Tunnel Authorize Fail] malformed payload in packet

Hoping you for your assistance

Thank you
JohnBusiness Consultant (Owner)Commented:
Ray - you should probably start a question of your own for this issue .

RV320 gateway to gateway setups do not present any specific issue and normally work.

Turn on Logging on both ends, try a connection and see what is creating the error.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.