IPSec VPN with dynamic IPs (RV082)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by SatisfiedUser, Jun 27, 2005.

  1. SatisfiedUser

    SatisfiedUser Network Guru Member

    Hey All, I've browsed around but haven't seen anything on this topic, but here at my company we are looking at slowly replacing some of our BEFVP41 (mixture of v1 and v2), spread out around Canada with the RV series, but the one problem I've run into is on the BEFVP41 when making an IPSec tunnel you can specifiy the remote ip address as ANY which is useful sicne we have some remote connections on dynamic IPs that we don't want to have to setup dyndns with. But, on the RV series this option seems to be gone, the log file mentions using an ANY setting but I can't seem to figure it out. Any thoughts on how I can setup an IPSec tunnel with a dynamic IP on one side?

  2. whocares

    whocares Network Guru Member

    You can actually use the option FQDN. I think this is better than ANY. You will have to register a Domain name at DynDNS.org and you will be good to go.
  3. tuannd

    tuannd Network Guru Member

    For remote side with dynamic IP address choose
    -Local Security Gateway use Dymanic IP + EMail address -> and then type E-Mail Address you want to use for Key
    -Remote Security Gateway use Static IP of Center site

    For Center side with static IP address choose
    -Remote Security Gateway use Dymanic IP + Email address -> and then type the same information as on the remote site
    -Local Security Gateway use your stic IP of Center site

    Hope it help

    TuanND from VIETNAM
  4. SatisfiedUser

    SatisfiedUser Network Guru Member

    Registering FQDNs for each site isn't really an option for us, the lag time is a bit of a killer (Even 15 minutes can cause us problems), now if I set the email key what do I set on the remote side for the actual PreShared Key? Do I make it the same as the e-mail address?
  5. Demonic

    Demonic Network Guru Member


    Is this RV to RV or IPSEC client to RV?

    If it's IPSEC client to RV, which client do you use?
  6. SatisfiedUser

    SatisfiedUser Network Guru Member

    It's RV to IPSec, either Windows XP or the old linksys VPN router. I solved one problem, I found the e-mail auth. method invovled setting a username although I still can't figure out how that works in regards to having a Windows XP IPSec client (The built-in stuff)
  7. Bryanba

    Bryanba LI Guru Member


    Did you figure this out? I'm facing the same problem.. I'm replacing our BEF-VP41 with a RV042 and we have several remote BEF-SX41's that are using dymamic IP's... I discovered the "any" option is missing from the remote security gateway selection..

    I'd be more interested in the email method vs the dyndns method if it works..

    Where do you enter the email address on the BEF-SX41 ?

  8. d__l

    d__l Network Guru Member

    Bryanba, on the SX41 you have to use Aggressive mode under the Advanced Settting button. Enter the email address on the box to the right of Aggressive mode. The email address becomes the USER_FQDN which is the identifier for remote user to the RV router. This works esentially the same as if the remote router was identified by a static IP. The RV must also be set to use Aggressive mode.

    The Pre-Shared Key is whatever you wish it to be and is not related to the email address.

    The FQDN identifier method apparently does not work between an RV (or at least an RV082) and the SX41. I think it may be limited to only operate between two RV082s.

  9. Bryanba

    Bryanba LI Guru Member

    Thanks Dave,,

    So the email address goes in the UserName field on the advanced tab and the mode has to be set to aggressive?

  10. d__l

    d__l Network Guru Member

    Yes. Mode aggressive on both ends. Hopefully that should be all you need to modify on the SX41 for an RV042-SX41 VPN tunnel from your old settings on the VP41-SX41 tunnel. I'm making the assumption (perhaps unwarranted) that the RV042 works exactly the same as an RV082 as far as those settings are concerned.

    I converted an old SX41-SX41 tunnel to an RV082-SX41 tunnel just fine with those changes.

    Let us know how it works out. :)
  11. Bryanba

    Bryanba LI Guru Member

    It worked.. Thanks for everyone's help... :)
  12. HughR

    HughR LI Guru Member

    IPSec Aggressive Mode with preshared keys is not very secure. See http://www.ernw.de/download/pskattack.pdf

    If you are using PSK authentication from any address (i.e. one that isn't preconfigured), then you almost have to use Aggressive Mode. The reason is that the ID isn't transmitted early enough in Main Mode (Main Mode is the alternative to Aggressive Mode). (If you only have one PSK for all connections from unknown IPs, then you can use Main Mode, but that is usually an unacceptible restriction.)

    The best choice is to use another authentication method. For example: RSA Signature. I've never seen or used an RV082 so I have no idea what authentication methods it supports.

    The WRV200 manual says that it supports RSA Signature authentication, but in fact they removed this from the firmware. The underlying Openswan code does support it. (I bought a WRV200 because of that feature; Linksys says that the manual will be fixed :mad: )
  13. d__l

    d__l Network Guru Member

    The choice of IPSec Aggressive Mode is the only VPN method allowed from a dynamic IP on the RV082. There isn't any other method!!!!!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice