1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN tunnel GW2GW behind NAT

Discussion in 'Networking Issues' started by JonasSS, Aug 21, 2008.

  1. JonasSS

    JonasSS Addicted to LI Member

    Hi all,

    I hope you are able to assist me in crunching a problem I have setting up a VPN Tunnel between a RV042 and a WRVS4400N.

    Setup is as follows:

    site 1 (WRVS4400N):
    public IP 90.xx.xx.169 <ISP router>192.168.1.1 - 192.168.1.100 <WRVS4400N>192.168.124.1

    site 2 (RV042):
    public IP 85.xx.xx.177 <ISP router>10.0.0.1 - 10.0.0.100 <RV042>192.168.123.1

    The ISP routers at both sites have port 500 (as far as I can figure, IPSEC only requires that port) forwarded to the respective router.

    I have tried many configurations, but I've settled on the following for the time being, which still gives me a few problems:

    please see attachments

    I have tried to set up the connections to match as much as possible, but since they use slightly different wording, I am not 100% sure that it is OK.

    anyhow, the thing that makes me worry the most is in one of the LOGS:
    Code:
    no suitable connection for peer '10.0.0.100'
    it seems that the WRVS4400N cannot ignore the "inside" IP of the RV042.
    ... and finally i get to the questions:
    1. Does the RV042 have to be the "first" router so I avoid NAT for this to work correctly?
    2. would it possibly be any help to set up the connection with an additional RV042 instead of the WRVS4400N?

    thanks in advance.

    ====
    edit:
    ====
    I realized that the screenshots I included aren't worth much, so here is the config in human readable form.
    Besides, I sort of figured it out. I now have a working config.


    Interface WAN1
    Enable 1
    Local Group Setup
    Local Security Gateway Type IP+ Domain Name (FQDN)
    Domain Name xxxxxxxxxxxx.cybercity.dk
    IP address 10.0.0.100
    Local Security Group Type Subnet
    IP address 192.168.123.0
    Subnet Mask 255.255.255.0
    Remote Group Setup
    Remote Security Gateway Type IP+ Domain Name (FQDN)
    Domain Name yyyyyyyyyyyyy.fullrate.dk
    Remote Security Group Type Subnet
    IP address 192.168.124.0
    Subnet Mask 255.255.255.0
    IPSec Setup
    Keying Mode IKE with Preshared Key
    Phase1 DH Group Group 1 (768-bit)
    Phase1 Encryption 3-DES
    Phase1 Authentication SHA-1
    Phase1 SA Life Time 28800 seconds
    Perfect Forward Secrecy 1
    Phase2 DH Group Group 1 (768-bit)
    Phase2 Encryption 3-DES
    Phase2 Authentication SHA-1
    Phase2 SA Life Time 3600 seconds
    Preshared Key xxxxxxxxx
    Advanced
    Aggressive mode 0
    Compress 0
    Keep-Alive 0
    AH Hash Algorithm 1 SHA-1
    NetBIOS broadcast 0
    NAT Traversal 0
    Dead Peer Detection (DPD) 1 10sec


    and the WRVS4400N:


    IPSec VPN Tunnel: Enable
    Local Group Setup
    Local Security Gateway Type: IP+ Domain Name (FQDN)
    Domain Name: yyyyyyyyyyyyyyy.fullrate.dk
    IP address: 192.168.1.100
    Local Security Group Type: Subnet
    IP Address: 192.168.124.0
    Subnet Mask: 255.255.255.0
    Remote Group Setup
    Remote Security Gateway Type: IP+ Domain Name (FQDN)
    Domain Name: xxxxxxxxxxxxxxx.cybercity.dk
    Remote Security Group Type: Subnet
    IP Address: 192.168.123.0
    Subnet Mask: 255.255.255.0
    IPSec Setup
    Keying Mode: IKE with Preshared Key
    Phase 1:
    Encryption: 3DES
    Authentication: SHA-1
    Group: Group 1 (768-bit)
    Key Life Time: 28800 Sekunder
    Phase 2:
    Encryption: 3DES
    Authentication: SHA-1
    Perfect Forward Secrecy: Enable
    Preshared Key: xxxxxxxxxxxxxxxxxxxxx
    Group: Group 1 (768-bit)
    Key Life Time: 3600 Sekunder
    Advanced
    Aggressive Mode 0
    NetBios Broadcast 0
     

    Attached Files:

Share This Page