1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

multiple site to site VPN with RV042's

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by TLS_wouter, Jul 25, 2014.

  1. TLS_wouter

    TLS_wouter Reformed Router Member

    Hi, I recently started working with amazon aws for running a (UPS) monitoring application.

    For the moment I have several VPN tunnels from my office going to customer site, and these would have to be migrated to the cloud based system. However I noticed that continious VPN tunnels are expensive (0.05$/hr), so ~400 dollar per year for a single tunnel.

    So I want to concentrate the tunnels at my office, and connect via a single tunnel to AWS.
    so AWS-VPN(255.255.0.0subnet)--> office router RV042(255.255.0.0 subnet)-->field devices (255.255.255.0 subnet)

    I read a number of posts, and with RV042 the only possibility for 'spoke to spoke' communication is working via a 255.255.0.0 subnet at the hub, and 255.255.255.0 subnets at the spokes.
    Detailed explanation from someone with more IT knowledge:
    http://www.dslreports.com/forum/r24970644-Complex-VPN-Configuration-with-multiple-Linksys-RV042

    Is this the way to go? Or are there better ways? Thank you
     
  2. Sfor

    Sfor Network Guru Member

    Apparently I do not get the idea. It is not possible to route traffic if the field devices are in the main office adress range. I do believe there was some sort of misunderstanding in the thread you mentioned. Perhaps the trick was ment for other brand of VPN routers, as RV0xx wil not let any conflict between VPN tunnels adress ranges.

    In any case, RV0xx series are unable to route traffic between VPN tunnels. The only exception is PPTP service. So, in case of a star shaped network with main office in the center, the branches are unable to communicate one with another.

    The way around this is to open a PPTP tunnel to the main office router, getting the IP in the main office adress pool and getting acees to the whole network, or to use a proxy server in the main office. Recently I started to use a PPTP connections through G2G IPSec VPN tunnels, as PPTP security is not a strong one.
     
    Last edited: Jul 27, 2014
  3. dziny

    dziny Reformed Router Member

    This is wrong. I have 4 openvpn connections from one place to 4 remote places. Each place has its own subset 192.168.x.0/24 and the main office is simultaneously connected to all 4 subnets via openvpn.
    The branches can ping each other. The trick is that router at each 4 remote places has manually configured static routing table (in tomato this is under Advanced/Routing). Here the router is given information that in order to connect to 192.168.y.0/24 network (x different from y) it must use gateway 192.168.x.4 where 192.168.x.4 is the ip address of the openvpn tunel to the main office. In this setup the computer in the main office has 4 openvpn tunnels with ip addresses 192.168.x.4 for all different values of "x".
     
  4. Sfor

    Sfor Network Guru Member

    Well. I assumed both the branches and the main office are using RV042. Your solution does not seem to use the RV042 VPN ability I was talking about. As far as I understand your solution, the VPN tunnels are made with a computer in the main office. The problem with RV042 VPN to VPN routing is when the traffic arrives through a VPN tunnel made with RV042 acting as a VPN server. In such a case the traffic is not processed through RV042 firewall, and is not routed back through other VPN on the same router. That's what the Linksys support crew told me. If the RV042 VPN is not being used, than the RV042 acts as any plain router without VPN functions and everything becomes possible with additional server.
     
  5. TLS_wouter

    TLS_wouter Reformed Router Member

    The branches and office range don't have conflicting IP-ranges.
    eg: head office 192.168.1.X (255.255.255.0 subnet)
    branch 1: 192.168.2.X
    branch 3:192.168.3.X

    In the vpn tunnel setup:
    tunnel 1 head office: local 192.168.X.X (subnet 255.255.0.0); remote 192.168.2.X(subnet 255.255.255.0)
    tunnel 2 head office: local 192.168.X.X (subnet 255.255.0.0); remote 192.168.3.X(subnet 255.255.255.0)

    with this setup the guy from the linked thread claims the two branches can communicate, so the 192.168.2.X can talk to 192.168.3.X.

    Basically, from the standpoint of the branches, the range of the other branches is part of the head-office range(255.255.0.0 subnet for VPN), and therefore they can communicate...
     
  6. Sfor

    Sfor Network Guru Member

    I've checked, the RV082 let's to enter a conflicting range in the VPN tunel setup. It complains about it, but the tunnel is created on a cancel button. I did not tested the actual VPN connection or ability of the RV0xx series to route the traffic between two tunnels made with it. I was just told it is not possible by the Linksys support crew.
     
  7. TLS_wouter

    TLS_wouter Reformed Router Member

    One of the coming day's I'll test the tunnels and post my findings.

    Sfor, from what I understand RV series routers are not ideal for branch to branch communication via head-office. Are there other small routers more fit for what I'm trying to do?
     
  8. Sfor

    Sfor Network Guru Member

    I do not know, if there is a better choice. In my case the branch isolation is desired. According to my research it is difficult to find something better in the same price range, when dual WAN is necesary.
     

Share This Page