Cisco VPN :: How To Setup IPSec Tunnel - 2320 And RVS4000
Aug 6, 2011
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.On the site of Router Scientific Atlanta Cisco 2320 this is some info: [code] On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info: [code] Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.I show the configuration on Router Scientific Atlanta Cisco 2320: I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up.As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10.I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
I recently purchased a RVS 4000 (firmware V2.0.0.3) and am having some issues creating a second (third...fourth?) IPSec VPN Tunnel. The first one is up and running just fine. On the VPN Summary screen it says [1 Tunnels Used 4 Tunnels Available].
When I go to configure the second tunnel, I select --New-- from the "Select Tunnel Entry" drop down and proceed to fill in all the connection information. When I click Save, it seems to be processing and after a few seconds just returns me to the same screen, with none of the information I just input and no connection created. No errors given.
I have another RVS4000 to connect at a different location which will require a similar setup, but don't want to do anything with it until I have the one mentioned above working fully.
I have a RVS4000 at one location and a second RVS4000 at home. I have established an IPSec VPN tunnel between them and it is UP. I can ping the routers from each end no problem. I can ping the IPs listed in the "Local Group Setup" and the "Remote Group Setup" from both ends no problem. I can even open up a shared resource from a Win 7 machine (e.g. by typing \10.10.10.100 in start-run from a computer on my home network).
But - i can't ping anything else on one network from the other. What gives? I need to access a 10.10.10.101 machine but can't even ping it.
- both RVS4000 boxes have latest firmware (V1.3.3.5) - home RVS4000 setup with IP 10.10.11.1 - home network has a server with IP 10.10.11.20 - other location RVS4000 setup with IP 10.10.10.1 - other location server setup with IP 10.10.10.100
Tunnel settings on home RVS4000 (the other location properly mirror these). - Local Security Gateway Type : IP Only - Local Security Group Type : Subnet [code]....
I'm trying to set up a VPN tunnel between a Linux machine and a RVS4000 at a remote site (served via satellite connection). After many efforts, I finally succeeded (based on Openswan). However, while PINGing is OK, big packets (from the RVS4000 LAN to the Linux box) arrive corrupted.
I lowered the WAN MTU, with no success. What finally did the trick is to lower the MTU at the RVS4000 LAN interface. Since this is not possible via the Web I/F, I did it via telnet ("ifconfig eth0 mtu 1400"). However, this change is lost after router reboot. How can I make the LAN MTU setting permanent?
Can I have use a Gateway-to-Gateway IPSec tunnel whereby a user can surf the Internet using his local Internet connection and at the same time connect through the IPSec tunnel to a remote subnet using RVS4000 routers?
Is there any way to setup an IPSEC tunnel to be able to go from my subnet, 192.168.75.x and be able to reach anything on the other side of the tunnel, 192.168.X.X?
how to setup a both ends of an IPSEC VPN tunnel using a software client such as shrewsoft vpn and an 800 series router?
I've tried following the instructions on cisco's site, but I don't really understand which interface I should use? Dialer, VLAN1 or UnNumbered to a Loopback?
I'm OK with most basic features of the router, but never had any luck with VPNs?
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1 Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2) ! interface Ethernet0 mac-address 5475.d0ba.5012 nameif outside security-level 0 ip address 198.40.227.50 255.255.255.240
i'm using an rv220W and i whant to know if is it possible to assign vpn traffic to a vlan when i setup an ipsec tunnel?
example: Im using different vlans on my rv220W. Vlan 10: engineers (ex: 192.168.1.0/27) no intervlan routing Vlan20: sales (ex: 10.0.123.0/24) no intervlan routing
This is what i need: - An engineer is on the road and when he makes a ipsec vpn connection => assignd to the vlan "engineers" so he can access the server/pc's in that vlan.and when someone from the sales group starts a vpn connection he needs to be in the vlan "sales" so he can access his pc/data,...
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable Local Group Setup Local Security Gateway Type : IP Only IP Address : RV042 Pulbic IP address
I am having all sorts of trouble connecting a Cisco RVS4000 to a Cisco ASA5505 over IPSec... I have used the "site to site" vpn wizard, I have a fress "factory reset" on my asa 5505...
I'm replacing my RVS4000 with the RV180 but having VPN connection issues with the RV180. Let me know the VPN tunnels work perfectly fine on the RVS4000.I have configured my RV180 for 3 VPN tunnels. My ISP is Comcast (cable) Business class with a Static IP. First VPN tunnel is to another Comcast ISP and the VPN works flawlessly - connects immediately.Second VPN Tunnel is to Business class ISP (Verizon-NJ) and VPN will NOT connect.Third VPN Tunnel is to Business class ISP (Cox Network-VA) and VPN will NOT connect.I had opened both the RVS4000 and RV180 up on a browser and both settings from the units were idential. I reconnect the RVS4000, VPN tunnels work great, I unplug and reconnect the RV180, the Comcast VPN works, but the other two do not.From what the log is saying "[IKE] WARNING: no phase2 found" and the other says "[IKE] ERROR: remote identifier not found". It has to be something with the RV180 that I'm missing or possibly configuring incorrectly.
In an established IPSec VPN between a RVS4000 and IOS (2801), everything works great (RDP / UNC File Share / HTTP) - with the exception of SMTP and HTTPS.I can do pretty much everything over the tunnel that I need, except attempting to send anything over port 25 or 443, it's getting destroyed in the tunnel.I've completely disabled the firewall in the RVS4000 and on the IOS side, I just have an extended access list that permits the entire IP protocol. The tunnel works fine, as mentioned above, and stays up with no issues.
My RVS4000 router freezes up when a lot of data is being pushed through the Ipsec tunnel. Let me explain in detail.
On physical location A, I have an RVS4000 router (with IP 192.168.3.1) which is permanently connected with a WRVS4400 router (with IP 192.168.1.1) on physical location B. The Ipsec tunnel has been configured using the Easy Setup Wizard of Cisco and has been working fine and stable for months. Both routers have another Ipsec tunnel with another WRVS4400 router (with IP 192.168.2.1) on physical location C, but this router does not play a role in the problem below.Recently, I’m trying to set up a remote backup service between physical location A and B using “rsync”, which uses port 873. Due to the Ipsec/VPN tunnel, I could configure rsync to move the backup files from our NAS on location A (NAS has IP 192.168.1.2) directly to location B (NAS has IP 192.168.3.2). Both NAS-devices are of the brand Synology (DS211J). The Ipsec tunnel guarantees that the data is coded and thus secure.
However, when pushing the first batch of data, I noticed that the router on the receiving end (RVS4000) freezes up after approx. 1,5h after the batch has started, which is after approx. 1 gigabyte of data has been transmitted. The connection with the WAN is lost, also the VPN-tunnel is not working, I cannot ping the device or reach its configuration pages (on 192.168.3.1), the only option is unplugging it and letting it reboot. I’m thinking the router cannot deal with the huge amount of data that needs to be decoded. I tried 5/6 times, with always the same result (timing / amount of data pushed through before router freezes varies slightly).
We have used two Cisco RVS4000 to create the IPSec VPN between the main office and the branch office. The main office has SBS 2008. There is a Windows Server 2008 as the domain controller in the branch office. One branch office user has a laptop which is not in the domain, but his exchange account is set up in the Outlook. When he connects the laptop to the branch office network, he cannot connect to the exchange server and get the emails. Is there any configuration to set up in the router, server or Outlook?
I have a side client who's recently upgraded their internet service from a single T1 to a 100mb fiber line. TW Telecom brought the fiber line into their building and run it through a Cisco 3400 which hands it off to TW Telecom's Adtran 4430. If I take my laptop and assign it the appropriate IP and subnet and plug straight into the Adtran I get close to full speeds so I can rule out the ISP (I think).
It comes out of the Adtran to a Cisco RVS4000 setup as a gateway and then feeds off to a Cisco SG200-50 and Cisco 248G switches. Anything from the RVS4000 and beyond on the customer side will only receive a quarter of the speeds I get if I plug straight to the Adtran. I talked to the tech from TW Telecom and they have confirmed the Adtran is hard coded for 1GB Full Duplex speeds so I'm going to assume the RVS4000 needs to match that. I'm not 100% sure on how to make sure the RVS4000 is set to that. In the Admin GUI for the RVS I've gone under the L2 Switch Port Settings and set them to match the Adtran but it makes no difference.
I'm getting some sort of port duplex conflict and need to figure out where to make adjustments.
I am getting ready to setup an RVS4000 so we can use the VPN functionality of it, but I am not quite sure of the correct way to integrate it into our network though. I do not need site to site, just the client portion of it for a few salesmen/off site people to use. I have never used or setup a VPN before, so I'm learning everything as I go along.
We are in the middle of switching our ISP and I am waiting to set this up until the new service is live so I can test it prior to moving the rest of the company to the new ISP.
We are switching to Comcast, and will have 5 static IP's available to use. Currently, the firewall does all our NAT and is the forward facing device on our network. I would like to leave the firewall in place (although I am setting up a new firewall for the new internet connection) and have th RVS 4000 sit behind it and receive VPN traffic from a WAN to LAN rule We currently have a 192.168.100.0/24 network.
Do I need to setup another /24 network for the VPN to function behind (and still have access to the 100.X network), or is there a way to allow everyone who connects to receive a 100.X ip address from our DHCP server. I'm not sure how to set everything up with the WAN/LAN connections on the RVS4000 to acheive this.
We are running a domain on a 2008R2 server. The clients will be using laptops that are already part of the domain, if that will make a difference.
I have a Cisco RVS400 router at my restaurant. In lan ports 1-3 on the router, I have plugged in my point-of-sale computers.Into LAN port 4 I have plugged my wireless access point that is in my dining room.
The wireless access is there ONLY for the customers to access the internet. I want to make sure the customers cannot access my company data, can this be accomplished through the use of VLANs ? If so, how do I do this? All of my devices are configured for dhcp..if that's relevant.
I just purchased a RVS4000 after chatting with a Cisco rep. I want to set up a router at my office (RVS4000) that I can connect to from virtually anywhere with my iPad, log into a server on my network and run a Remote Desktop service. The Cisco rep. told me that the RVS4000 was exactly what I needed. So here is what I've done so far:
iPad(192.168.2.67)-->192.168.2.1(wirless router)-->Internet-->RVS4000-->(192.168.1.1)-->\Server(192.168.1.33) On the RSV4000 VPN tab IPSec VPN: Tunnel name: Office Local Security Type: IP only
- Ipsec tunnell between two 881's - An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500 - Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
I have a RVS4000 and I am going to configure vlan in the near future. Among all other configurations sent by the internet provider company is this one :
Firewall NAT : from x.x.2.0/24 to 0.0.0.0/24 should be NAT from x.x.2.0/24 to x.x.0.0/21 should not be NAT
From all the other configurations, this one is not clear to me. Can this configuration be done on a RVS4000 and where can it be done.
We have a Cisco 2820 that serves as a hub and our spokes are Cisco 871s. Its been working for a while and for some reason last week. Http and https traffic over the tunnel is having connection issues. I can Remote desktop or PCanywhere into the remote PCs. From that PC I can ping internal IP address or IP of the webmail server or internal webserver with no issue. But if I access it over the browser it times out or it will work and stop working again. Basically ica, icmp, pcanythere, rdp traffic works over the tunnel but not http or https.
can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT. I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
I'm attempting to configure a tunnel on a PIX-501 version 6.3. It's an old device that's due to be replaced soon, but unfortunately we need a tunnel now... I have been using this document as a reference (6211): URL ,The remote end is a sonicwall.
The problem seems to be that the pix never sees the interesting traffic for the tunnel, and never tries to initiate a connection. I have enabled crypto ipsec and crypto isakmp debugs, but no data is ever displayed, even when attempting to access a device on the remote side of the tunnel! Someone had tried to set up this device with some tunnels in the past, but was never successful, so I'm thinking there might be remaining commands in the running-config causing problems.
configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
[URL]
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside) The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all otherip access-list extended NAT-Trafficdeny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255deny ip 172.19.191.0 0.0.0.255 192.168.128.0
I have a home network with an Actiontec Q1000 providing me 20 meg down and 5 meg up speeds. The DSL modem supports DHCP, DMZ, port forwarding, application forwarding, filtering, etc. I have an existing network 192.168.0.x that uses a combination of DHCP and static IP addresses for printers, scanners, and servers.I just purchased a RVS4000 and configured its LAN port to accept a DHCP address. It received the .26 address. I set up application and port forwarding so all VPN traffic goes to this address. I also put the router in the DMZ and turned off all firewalls.On the LAN side of the RVS4000 I use the 192.168.1.x address and have the 4000 provide DHCP addresses. I have a PC connected to the LAN port and it has the address of 1.100. I am able to use TeamViewer to connect to this through the internet and I can also access the devices on the Actiontec network from the PC connected to the 4000.I set up the VPN as best I could while going through appendix B of the admin guide. When I am at a remote location and use the QuickVPN client to access the 4000 I get the message, "The remote gateway is not responding. Do you want to wait?'. When I look at the log everything looks good except I get the following error:
[WARNING]Failed to ping remote VPN Router!
I am unable to get a DHCP address for my remote PC and am unable to ping any device on either network. What do I have configured wrong that this is not working?I only purchased this so I can use the VPN. Is the VPN established on the Actiontec LAN or on the RVS4000 LAN side? I am obviously connecting to the 4000 but am just not getting an address so I can not use my home office network for all my communications.
We share a common fibre connection to the internet. In the basement we have a modem/router(zyxel) which is in "bridge mode". Therefore not acting as DHCP.Behind this zyxel we have a Cisco RVS4000 router. Ports 1 and 2 go to family A, and Ports 3 and 4 go to family B.Family A and B have separate routers which are both set to "access point mode". Family A has an ASUS RT-N66U router while family B has a dlink DIR-615. The asus has an "access point mode" while the dlink needs to be set up manually to achieve this. The dlink must also have a static IP adress. The asus can receive ip adress.
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
since a few days I'm trying to solve a problem. I've successfully established an IPSec tunnel between two local LANs. In the main office I'm working with a ASA5510 CLI 8.4 and a static public IP address. The branches are using different Cisco 8xx routers and dynamic public IP address. The following picture shows the current configuration:As I mentioned an IPSec Tunnel between the main office "Intern"-LAN 192.168.1.0/24 and an outside LAN 10.10.0.0/24 is successfully established. Now there is a new intern "Admin"-LAN 192.168.2.0/24 at the main office. The users from the outside LAN 10.10.0.0/24 need the possibility to reach this new intern "Admin"-LAN.Can I simply route the traffic from 10.10.0.0/24 to 192.168.2.0/24 via the existing IPSec-Tunnel? Or need I a new IPSec tunnel between the outside 10.10.0.0/24 LAN and the new "Admin"-LAN 192.168.2.0/24?
