1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Few problems with VPN (RV042)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by JarekG, Jun 23, 2008.

  1. JarekG

    JarekG Addicted to LI Member

    Hi.
    I need to make a VPN connection from one localization to another. Before I will do it I would like to simulate that kind of connection in my LAN, but VPN doesn`t work exactly as I would like to.
    First of all I configured two devices, first of them has got an ip address 192.168.1.251/24 with gateway 192.168.1.1 (for normal internet access), and the second wan is used for VPN connection. The second one has address 10.0.0.10/24 with gateway 10.0.0.10. LAN address used here is 192.168.10.0/24, router has 192.168.1.1.
    The second router has got just only one used connection so the first WAN is used for VPN and has got an address 10.0.0.20/24 with gateway 10.0.0.10 (just only for tests). For LAN is 192.168.20.0/24 and router has 192.168.20.1. VPN's connected perfectly, but it doesn`t want to work. I disabled firewalls to be sure that there is nothing blocked. So... I connected two PC's. One to the first VPN and second to the second one. PC's don`t want to "see" each other. I tried to ping and got an message from the second VPN that "Destination network is unreachable". From first VPN I had a message that time limit has been exceeded.
    If I try to ping PC's from router interface I have 4 replies on 4 sends (4/4).
    Question is why ? What is wrong that PC's cannot ping each other ?

    There is an one more problem. When I try to ping anything inside Internet from first VPN I have strange responses like f.e. 2 responses with delay times, and 2 that the destination network is unreachable. I think that somewhere is a problem with routing table and the algorithm which make a dual-wan connection is lost somewhere and don`t know which path should the packet been send. But how to fix it ?

    But... finally I need to run it on the one WAN connection and VPN will go through Internet directly. I don`t want to do something like above that the second VPN should have default gateway on the interface of first router. But I`m afraid that if my simulation now don`t want to work for me (to ping one side from the other side), I will have a problem in the near future when I will try to make it working. The worst thing (or not) is that on everything here will need to be Active Dirctory running and I`m afraid that I will need to .

    I would like to please you for any advices to help me in solution.
     
  2. Sfor

    Sfor Network Guru Member

    Your network construction and router settings description is too unclear for me. Could you describe it in some other way?

    Perhaps something like that would be a better way to describe the situation.

    First router:
    WAN1: 192.168.1.251/24 gateway: 192.168.1.1
    WAN2:
    LAN:

    Second router:
    WAN1: 10.0.0.10/24 gateway: 10.0.0.10 (This setting does not have a sense. It should not work)
    WAN2:
    LAN:
     
  3. JarekG

    JarekG Addicted to LI Member

    First router:
    WAN1: 10.0.0.10/24 gateway: 10.0.0.10
    WAN2: 192.168.1.251, gateway: 192.168.1.1
    LAN: 192.168.10.1/24

    Second router:
    WAN1: 10.0.0.20/24 gateway: 10.0.0.10
    WAN2: not used
    LAN: 192.168.20.1/24

    VPN is gateway to gateway.

    Ping from the gateways comes into the internal networks (LAN's), ping from second LAN stays at gateways (that's why it's written destination network is unerachable), and ping from first LAN gives a message that time limit has been exceeded.

    The IP addresses was only used for a simulate the network connection and simulate VPN. I will need to run VPN in the near future and I wanted to test it on my own in my office, but I don`t want to work.

    I know my situation is imagined, but the question is if I use normal - real - IP adressess and connect devices into normal - real - WAN, then should I have any problems with pinging network each other or not ?
     
  4. Sfor

    Sfor Network Guru Member

    I do not know how the routers are connected . I have to assume both routers WAN1 and WAN2 ports are connected to the same LAN. In such a case only connection through WAN1 ports seems to be possible, as WAN2 of the first router is in a different subnet.

    I will assume the LAN devices you are pinging are in the 192.168.1.x LAN. In such a case only the first router will have the access to them through the WAN2 port.

    Also it would be logical to change the first router WAN1 to 10.0.0.10/24 gateway: 10.0.0.20. However it should not make a difference in case of a VPN connection.
     
  5. JarekG

    JarekG Addicted to LI Member

    Routers are connected by WAN1 each other and first of them to WAN2 has connected my LAN (to have an Internet access).

    As a configuration you was shown above, let me call first part of configuration as "ROUTER A" and second as "ROUTER B".
    I`m not pinging IP's from 192.168.1.x just from 192.168.10.x to 192.168.20.x and the other way round. Reply messages I wrote above. The 192.168.1.x network simulates backup internet access, and the router A WAN1 and router B WAN1 are connected directly and simulates normal VPN channel in the Internet (it doesn`t matter what kind of addresses I will use - it's just only for tests). In near future I will need to do the same but in normal Internet network, so now I need to simulate some things.

    Yes, I did it before, but I don`t know why my logical thinking also told me that kind of settings should be ok, but when I changed the gateways I couldn`t establish VPN connection (stupid, huh?).

    The question is... if I will be connected to normal Internet network with normal routing protocols, with normal rules, normal bandwidth and many other normal things, then VPN's should work without a problem or not ? I cannot simulate now the simple thing which normally exists in the Internet... IPS gateways.

    So... normally shall my configuration work or not ?
     
  6. Sfor

    Sfor Network Guru Member

    I think the next problem are the VPN tunnel settings. The local security group of one router should be the same as the remote security group in the other one.

    Could you provide the settings you have used in the tunnel config screen?
     
  7. Toxic

    Toxic Administrator Staff Member

    I take it your Access Rules are default on both RV042a?
     
  8. Toxic

    Toxic Administrator Staff Member

    I take it your Access Rules are default on both the RV042s?
     
  9. JarekG

    JarekG Addicted to LI Member

    Exactly the same. If you meant in firewall of course, but then the access rules are disabled because I disabled firewall also on both devices.


    Local security group. If you meant local security as Phase 1 and 2 DH Group, so yes... they are the same on both devices.

    The screen from one router is inside attachment. The second one is exactly the same but IP addressation is changed (it`s normal).
     

    Attached Files:

  10. Sfor

    Sfor Network Guru Member

    On the VPN-Summary screen there are Local Group and Remote Group settings visible. Can you post them here?
     
  11. JarekG

    JarekG Addicted to LI Member

    Posted above in details. I hope it is not any problem for you if i pasted it from VPN configuration not from VPN summary ?
     
  12. Sfor

    Sfor Network Guru Member

    Yes, it seems to be correct. But I do not know which router it is, as the other one should have a bit different settings.

    Also, I ment the Local Security Group and Remote Security group settings from Local Group Setup and Remote Group Setup sections. The Phase 1 and 2 DH Group is not what I ment.
     
  13. JarekG

    JarekG Addicted to LI Member

    It has different settings. I wrote it above, that the second router has the same configuration but only IP addressess are different.

    Can you tell me where do I find the sections you wrote about ? It seems for me I don`t have that section on my RV042 :( :O.
     
  14. Sfor

    Sfor Network Guru Member

    There are Local Group Setup, Remote Group Setup and IPSec Setup section markings on the left grey column visible on the image you have posted.
     

Share This Page