Traffic through tunnel or not? RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fred3, Apr 22, 2007.

  fred3

    fred3

    If one sets up a tunnel between a pair of RV042s, then how does one know if the traffic is actually flowing through the tunnel as intended or simply out in the open?


  vpnuser

    vpnuser

    You could take a packet capture to see if the packets are encrypted.
  Toxic

    Toxic

    try pinging the internal LAN IP of the remote router.
  fred3

    fred3

    I sniffed the "internet" that I created in the lab. I think the packets were encrypted. At the time I borrowed one of the end hosts to do this - so there weren't ping replies.

    After I sent this I figured about the pings. I guess there's no way for them to work *unless* the tunnel is the path. Is that right?

    As you can see, I'm still struggling with the RV042 VPN.
    To get the pings to work, in addition to the VPN setup, I had to add a route in the RV042 with Destination the far LAN subnet and Gateway the far site VPN public IP. Is that normal?
  ifican

    ifican

    For the remote lan subnet of the tunnel no added route should be necessary. When you create the tunnel the route will be added, for some devices you will see it in the route table, in others you will not, i have not used the rv series so i dont know if it will present.
  Toxic

    Toxic

    what are you trying to achieve by the ping? if you have setup each side of the VPN tunnel with the remote settings pointing to the remote subnet (range of IPs) and the local side using Subnet of the LAN then it should work fine. If
    you just select an "IP address" on its own then thats all you will have access to.
  fred3

    fred3

    Eventually I want to be able to pass packets from one LAN to the other - that will get routed further on from there.
    As I build this lab system up, I figured that ping would be a good test.
    Eventually I also want to be able to map network drives across the VPN.
    So far, this isn't working.
    I *have* changed the VPN IP groups to subnets both remote and local.
  Toxic

    Toxic

    are any of the workstations on either local or remote running there own firewalls. for ping to work you need ICMP echo enabled.
  fred3

    fred3

    There are no firewalls for these tests on this private network.

    Ping *does* work now.

    However, I'm not able to map a remote LAN drive locally - which is important!!

    I set up all manner of firewall rules in the RV042s and now find that there is *one* that's necessary for the pings to work:
    Allow / All Traffic / Source I/F: LAN / Source: Local Subnet /Dest:Remote Subnet
    I also have:
    Deny / All Traffic / Any Source / Any Destination next on the list.
  fred3

    fred3

    I added another firewall rule in the RV042s that allows traffic between the two VPN public IP addresses. I see pings going from one to the other that weren't being responded to. I didn't see any problems resulting from *not* having this rule though....

    The traffic on the "internet" hub otherwise appears to all be VPN traffic.

    Still can't map drives ... continue to investigate.

  starlight

    starlight

    Hello Fred,
    i have a similar configuration and can ping and map drives, but i don't needed some extra firewall rules. But i had to activate rip on both sides.
    I think you have installed the newest firmware ?

  fred3

    fred3

    Interesting. I'd be interested in getting a configuration file for an RV042 that *works* in this simple arrangement.

    I'll check out RIP.

    Yes, the firmware on all RV042s is the latest.
  Toxic

    Toxic

    fred3 are you using a domain or workgroup environment at both locations? if its a workgroup are they the same name?

    if you able to ping did you enable Netbios over VPN in the setup pages? can you map to shared resources using UNC format?

    \\ip address\sharename or \\netbiosname\sharename
  fred3

    fred3

    It's a workgroup environment. Both have the same name.
    NetBIOS over VPN is enabled.
    I don't think that shared resources (as in Workgroup shared folders?) are visible and I don't care about that unless it's going to matter .... it may.

    I'd be happy at the moment to map a shared resource with its IP address:
  fred3

    fred3

    I'm not sure this is useful information but I just noticed that the Show Routing Table results don't match between the RV042s:

    Route for .117 / .157

    Dest Subnet Default Gateway Hop Ct I/F * 40 ixp1 * 41 ipsec0 * 50 ixp0 10 ipsec0
    default 40 ixp1

    Route for .116 / .213

    Dest Subnet Default Gateway Hop Ct I/F 0 ixp1 * 40 ixp1 * 41 ipsec0 10 ipsec0 0 ixp0 * 50 ixp0
    default 40 ixp1

    Here: / is the subnet/network for the public IP addresses. / is the LAN subnet for .157 <> .117 / is the LAN subnet for .213 <> .116

    The Advanced Routing / Static Routing tables are *empty* in both RV042s and these are what shows up in the "Show Routing Table" displays.

    The lower one has two added routes:
    It points to its own public IP as the default gateway for the public subnet … which seems wrong.
    It points to .198 as the default gateway for the LAN – which may be OK but that's in contrast to the same route showing "*" for the same route.

    Both of the "extra" routes show a Hop Count of 0. ???

    Whether you find this interesting or helpful, it raises the question:
    How does one change the contents of the Show Routing Table results in some predictable manner? I'd rather not reset and reprogram it!
    I guess one might try backing up the config and reloading it....


  fred3

    fred3


    In reviewing, I'm not sure why RIP would make a difference. There is *only* one possible route here. But, there are other things that don't go by the names they seem to be given!! So, I set it up but it didn't make a difference in drive mapping. Still doesn't work.
