1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multiple Subnets allowed on IPSec VPN Tunnel

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by korey531, Sep 28, 2006.

  1. korey531

    korey531 LI Guru Member

    I have a Linksys RV082 router and I need to create an IPSec tunnel that multiple subnets can access:

    {RV082}
    192.168.169.0/28
    |
    [Cisco 2811 Router] - [RV082]
    192.168.168.0/24 192.168.101.0/24

    I need the Cisco Subnet 192.168.168.0 and 192.168.101.0 subnets to access the remote 192.168.169.0 Subnet. The Cisco handles this via ACL's and I have an older Netopia router that allows this that I want to replace with the RV082 if I can get this feature to work.

    Are there any work arounds or plans for this feature to be implemented?

    Thanks,

    Korey
     
  2. pablito

    pablito Network Guru Member

    Agreed. I brought this up in the beta topic. The GUI insists that the a subnet is in conflict although IPSEC says we can do it this way. I think that if the error trap on the RV compares both ends of the tunnel and only errors out if both subnets conflict it will work.

    An ugly workaround is an inclusive subnet config (/17) that can run on one tunnel.

    I think this will get looked at in the next beta.
     
  3. Toxic

    Toxic Administrator Staff Member

    really?
     
  4. pablito

    pablito Network Guru Member

    I hope so.

    It won't?
     
  5. korey531

    korey531 LI Guru Member

    Is this the best place to submit a Feature Request?

    Toxic,

    Where can I submit a formal Feature Request? This feature is very common and I was sadly disappointed that a brand new router does not support it.

    The workaround of allowing a huge subnet like 192.168.0.0/14 would only work for my example. I have also needed to allow customer networks access to specific nodes and was supplied with either a 10.x.x.x address or a public address.

    Thanks,

    Korey
     
  6. sterner

    sterner LI Guru Member

  7. korey531

    korey531 LI Guru Member

    This is only a work around

    Here is a real world scenario tha I would need to use it for

    [RV082]
    LAN 192.168.169.0/24
    WAN <Public IP>
    |
    |
    [Cisco 2811]-------------[Netopia R910 Router]
    LAN 192.168.168.0/24 -- LAN 192.168.96.0/21
    WAN <Public IP>---------WAN <Public IP>
    |
    |
    [Sonic Firewall]
    LAN 10.1.1.0/24
    WAN <Public IP>

    The tunnel on the Cisco has an ACL allowing 192.168.168.0/24, 192.168.96.0/21, & 10.1.1.0.

    The Netopia Router and the Sonci Firewall all support this feature, but I can't make the RV082 work for this scenario.
     
  8. pablito

    pablito Network Guru Member

    ^^^
    new question: might it be possible to end point at the Cisco from the RV to two different WAN side IPs (it looks like you have multiple IPs)? Of course the return would default via the primary IP but maybe this would fool the RV into thinking it was a unique end point and as such work?

    That is similar to what we we were thinking as a work around for now. I can't test it either right now but I tested making the entries. The RV still complains about an overlap but allows you to save it. That is better than refusing to save as is the case with an optimum config of multiple tunnels to a single end point.

    I tested configs with the RV as a spoke and as the hub. This includes a config that could work with the original question. I can't run them to see if they will connect but I could at least create the config in ways that *might* work.
     
  9. sterner

    sterner LI Guru Member

    I was able to test a part of my network. I am able to create a VPN tunnel between the main office RV016 and my home BEFSX41 using 192.168.0.0/16. I noticed in the RV that when I only changed the mask, it changed the subnet for me after saving. The BEF doesn't. From the BEF LAN I am able to reach a T1 branch subnet that is behind the RV. I haven't tested a VPN subnet behind the RV yet.
     
  10. sterner

    sterner LI Guru Member

    I was able to changed all VPN settings and now each branch can see each other thru the RV. Of course so they can see the T1 branches I have static routes setup in the RV to go thru the T1 router to get to those subnets.

    Korey, since you have 2 subnets on the same LAN, if only you could setup the LAN address of the RV to /16, maybe it would be able see the cisco router thru a static route to get to the other RV LAN through the VPN. The only problem is the RV series can't do anything other than a class C subnet for the LAN :frown1:
    Maybe Toxic can convince Linksys to make a change since these are supposed to be business class routers.
     

Share This Page