RVL200 + VPN + Multiple Subnets

Discussion in 'Networking Issues' started by baremetal, Apr 17, 2007.

  1. baremetal

    baremetal LI Guru Member

    I have two RVL200's connecting into a Fortigate 60 firewall using IPSEC VPN.

    RVL200 # 1 =
    RVL200 # 2 =
    Fortgate =

    All on the internal networks and all class C's

    Each RVL200 has no issue getting to, they cannot get to the other RVL200 LAN.

    The Fortigate has been configured as a concentrator for these two VPN connections and allows traffic to travel between both

    The issue is that when I setup the VPN connection on the RVL200's I can only set one Subnet to pass through it. So it knows that 10.0.0.x is out that interface.

    Does anyone know how I can tell it to look for the 192.168. counter part out through the VPN connection?
  2. ifican

    ifican Network Guru Member

    The long and short of it is this: In order for you do that you need to have a feature built into the code that does what cisco calls a reverse route injection (RRI). Without it or a feature designed to do what it does on your particular router this wont happen.
  3. pablito

    pablito Network Guru Member

    I don't know either of those routers but can you create two VPNs per RVL (4 on the Fortigate)? That is the traditional method. I use an RV8 to a linux endpoint and then reach 3 subnets. The extra overhead is trivial after the 1st tunnel.

    The other way to do it since you are trying to do a "star" is to widen the remote subnet spec to include both nets. That also works well if the math is on your side...
  4. aviegas

    aviegas Network Guru Member

    My guess is that, by default, the routes out of each RVL is just for the network that is behind the Fortigate.
    So the trick is to add a static route to each RVL pointing to the other's RVL network and using the Fortigate "inside" IP as the gateway.
    I've done this is a combination of RV042, RV082 and BEFVP41. All 3 networks could communicate using just 2 tunnels.
  5. ifican

    ifican Network Guru Member

    I had initially tried this years ago and could not get this to work right, I had always figured partly because the "interesting traffic" that is identified by the tunnel config, once identified via the local and remote secure group settings just handed the tunnel traffic off to the other side. Had just thought that because the remote secure group ip range was not the destination that it would bypass the tunnel altogether. I will have to look at this one again as i am quite curious now.
  6. pablito

    pablito Network Guru Member

    The IPSEC spec calls for "strict routing" so that subnets not defined will not route. Certainly more secure that way. Some routers ignore that or have it as an option. Not sure about these routers but the chances are not great that both of them will.

    I would just create a 2nd tunnel from each RVL and it will work (as a star). Or create a 2nd tunnel between the RVLs and go direct. The overhead of additional tunnels is minor, most of the heavy lifting is done by the first tunnel.

    You could also widen the subnet range so that both subnets are included in one tunnel. That also works but watch for inclusion of subnets that you don't want to have access.
  7. nimby

    nimby LI Guru Member

    Ok, it might just be my misreading this, but I think what you're saying is to create a second tunnel that has a wider subnet mask? such as a /16 ?

    If so, how do you go about doing this on a RV042? This might be a solution for my problem that I posed in a seperate thread :biggrin:
  8. pablito

    pablito Network Guru Member

    If you create a 2nd tunnel at each RVL then just give it the other RVL's subnet as the remote subnet. Then RVL-RVL will route via the Fortgate.

    RVL200 # 1-1 = ->
    RVL200 # 1-2 = ->

    RVL200 # 2-1 = ->
    RVL200 # 2-2 = ->

    Fortgate -1 = ->
    Fortgate -2 = ->
    Fortgate -3 = ->
    Fortgate -4 = ->
  9. baremetal

    baremetal LI Guru Member

    Thank you for the messages guys, but one big problem. The RVL200 only supports 1 ipsec tunnel. I have a new beta firmware that Linksys sent to me 1.1.4 and they told me it would allow multiple tunnels, they were wrong.
  10. Toxic

    Toxic Administrator Staff Member

    i've been told by linksys before that the RVL200 will only support 1 IPSec Tunnel. who told you it would have more? Linksys Tech Support?
  11. pablito

    pablito Network Guru Member

    ouch. That's too bad. The only solution I can think of now is to setup routing entries but by the spec that shouldn't work.

    Would it be possible to change the 10.x network to a 192.x? Then you could expand the tunnel spec so that it includes all subnets in one go (/16 or something more sane)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice