1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 (VPN) behind RV042 site-to-site

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fred3, Mar 19, 2007.

  1. fred3

    fred3 Network Guru Member

    I'm trying to set up an RV042-based site-to-stie VPN.
    Because of network configuration and constraints, I want to do this:

    LAN#1 / RV042#1(VPN) / RV042#3 / internet (fixed IP)
    |
    LAN#1 / Firewall NAT/


    |
    LAN#2 / RV042#2(VPN) / RV042#4 / internet (fixed IP)
    |
    LAN#2 / Firewall NAT/

    How would you recommend setting up the 2 cascaded RV042s at each site?

    Thanks
     
  2. ifican

    ifican Network Guru Member

    Im a little confused looking at the diagram, for clarification, are the RV's that are connected directly to the internet the ones you are creating the site-to-site vpn on? Or are you trying to make a site-to-site vpn with the ones that are living behind the internet routers?
     
  3. fred3

    fred3 Network Guru Member

    The ones behind the internet routers would be the VPN routers.
     
  4. pablito

    pablito Network Guru Member

    You could configure DMZ on each internet side RV to point to the internal RV's WAN. Then create the VPNs as normal but add NAT-T. I do something similar with RV08 and it works fine. Just be sure each internal RV has full firewall setup as they will catch the noise of attacks.
     
  5. fred3

    fred3 Network Guru Member

    You're suggesting that it won't work as shown. I have a similar situation that's working as follows (showing one end of the VPN):

    LAN#1 / Firewall / RV042 / internet
    | |
    /Cisco router VPN /

    In this case, the Cisco router is the VPN device and it passes through the RV042. The RV042 is configured to pass ports ESP 50 and IPSec 500 and Ping from a certain public IP address to the Cisco router and to pass ports ESP 50 and IPSec 500 and Ping from the Cisco router to the same certain public IP address. Everything else goes to the firewall.

    So, I see no reason why the Cisco router can't be replaced by an RV042 VPN device without using the DMZ port. Any thoughts?
     
  6. fred3

    fred3 Network Guru Member

    Darn - the "artwork" didn't come out.
    Here's another try:

    LAN#1 / Firewall_________/ "interim LAN" / RV042#A

    LAN#1 / Cisco VPN Router / "interim LAN" / RV042#A

    where LAN#1 is common to both the Firewall and the VPN router
    where "interim LAN" is common to both the Firewall and the VPN router
    and to the RV042#A.
    I hope that's clearer
     
  7. fred3

    fred3 Network Guru Member

    I looked and didn't find an explicit reference to NAT-T on the RV042.
    I take it that the NAT-T would be set up on the "outside" RV042 and not on the internal VPN end point RV042. Right?

    Thanks
     
  8. ifican

    ifican Network Guru Member

    Just a few things so moving forward everyone is on the same page. IPSEC is a combination of ike and esp/ah. Ike uses port 500 but esp uses protocol 50 which has no bearing on ports. Nat-T instead of allowing esp to be sent natively basically wraps the esp datagram in a udp header which allows it to parse a PAT. Really just a fancy way of saying that the packet gets wrapped in such a way that the router knows where to send the incoming esp packets by looking it up via its translation table. NAT-T will be initiated on the router that is terminating the tunnel, so in this case your internal RV's.

    Now back to getting this working. I have created tunnels close to that where where 1 routers was behind the isp connected nat'd router but the other end was the isp endpoint. What i believe is going to have to happen is a pablito has mentioned. You are going to have to run nat-t on both routers you want to be the vpn endpoint and run at minimal the "responder" on a dmz or 1-to-1 nat. Reason being is unless your internet facing routers have a translation that has alread been initiated on the inside for the incomming packet, it is not going to know where to send the information (hence the need for DMZ, which should be default send anything not in the translation table to the DMZ host).

    And to be honest even your last diagram is still a little confusing as it makes it look like both devices are on the same lan#1. Though i dont think that is the case it just looks that way.
     
  9. fred3

    fred3 Network Guru Member

    RV042 behind RV042

    Yes, both devices are on the LAN#1 as I tried to show.
    What I didn't show is that there's a router inside the LAN which is the gateway for all clients. It routes internet access to the firewall.

    All outgoing traffic internet traffic is routed to the firewall.
    except
    All outgoing VPN traffic is routed to the VPN device..
    All incoming traffic is routed to the firewall
    except
    All incoming VPN traffic from a specific IP, etc. is routed to the VPN device.

    I hope this helps....
     
  10. fred3

    fred3 Network Guru Member

    Found NAT-T setting

    I found it in the VPN Advanced Settings. OK.
     
  11. ifican

    ifican Network Guru Member

    Ok looking at the diagrams again, if you put both of the "VPN RV's" into the dmz of the RV that they are connected too and make sure you have NAT-T enabled on both VPN RV's I think it just might work.
     
  12. fred3

    fred3 Network Guru Member

    NAT-T on DMZ VPN device?

    I found the setting but ended up wondering:
    Why is NAT-T necessary to be enabled if the router for VPN temination is on another router's VPN port (all RV042)?

    Thanks,

    Fred
     
  13. fred3

    fred3 Network Guru Member

    oops. I meant to say "if the router for VPN is on another router's *DMZ* port!
     

Share This Page