RV042 VPN With Multiple Local Subnets Failing

Unanswered Question
Mar 12th, 2010
User Badges:

Hello, we have a gateway-to-gateway IPSec VPN connection between our datacenter and office.


Datacenter has a sonicwall.           (public ip: 64.87.28.110)

Office has a Cisco/Linksys RV042 (public ip: 99.40.46.241)


The database has two subnets, 192.168.1.0/255.255.255.0

                                            and 10.64.0.0/255.248.0.0


The office has the main subnet. 192.168.0.0/255.255.255.0

                                          and under network setup, I added a secondary subnet of 10.64.0.0/255.248.0.0 so it can handle traffic coming from the datacenter on that range.


We are able to connect and the VPN link is established. We are able to send traffic just fine between the 192.168.1.0 and 192.168.0.0. But when we send traffic that is from a 10.64.0.0 segment it goes across the VPN connection, I confirmed with Sonicwall logging that traffic is passed along, but in the RV042 traffic is not getting to its desintation. In the RV042 system log I see the following:


Mar 11 17:37:13 2010         VPN Log        [Tunnel Negotiation Info]  <<<Responder Received Quick Mode 1st packet
Mar 11 17:37:13 2010        VPN Log        [Tunnel Negotiation Info]  <<<Responder Received Quick Mode 1st packet
Mar 11 17:37:13 2010       Connection Accepted     UDP   64.87.28.110:500->99.40.46.241:500 on ixp2
Mar 11 17:37:13 2010        VPN Log        Cannot respond to IPsec SA  request because no connection is known for 192.168.0.0/24===99.40.46.241. ..64.87.28.110===10.64.0.0/13
Mar 11 17:37:17 2010        VPN Log        Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x7f8b02d2 (perhaps this is a duplicated packet)


Any ideas how to fix this? In the Sonicwall I am able to configure the VPN connection to use multiple local subnets, but I don't see that as an option in the RV042 VPN setup.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Te-Kai Liu Fri, 03/12/2010 - 15:40
User Badges:
  • Gold, 750 points or more

Have you tried creating two tunnels on RV042, each of which connect to one of the two subnets in the data center?

fieldtechnologies Fri, 03/12/2010 - 16:10
User Badges:

I have not tried creating two tunnels, but that seems like a hack. All I want to do, is add an additional subnet to the existing tunnel, which I successfully did in the main router settings, but don't see a way in the VPN settings to allow access to multiple subnets.


Is this the only way to get it working though? Thanks.

Alejandro Gallego Sat, 03/13/2010 - 20:36
User Badges:
  • Cisco Employee,

Try one of the following:

1. on the RV local secure network define it as 0.0.0.0/0 (this would allow all subnets) or

2. create a route statement for the 10.64.0.0 (this may not work since both sides have the same network)


this may take some messing with because we cant super net 192.168.0.0 as it will not help us. since both sides of the tunnel have 10.64.0.0/13 it will be tricky adding a route statement. by defining the local subnet as "0" it should allow all traffic to go through; set the remote local as any but not sure if that will work.

the route statement may be defined as a range like 10.64.0.1 - .254 next hop 192.168.1.1 (whatever the router IP is)... this may be the best option so long as your network is split like that.


try that and let us know.

fieldtechnologies Mon, 03/15/2010 - 15:07
User Badges:

alegalle,


Thanks for the reply. So, the suggestion of putting 0.0.0.0/0 as the VPN local security group on the Cisco did not work. I could not make a VPN connection. I went over to my Sonicwall and updated it, and put 0.0.0.0/0 as the destination network, to see if that would work, but unfortnately that caused major problems, and I had to undo that on the Sonicwall.


So I am not clear about your other suggestion of using a static route. How would defining a static route allow traffic to pass through the VPN on 10.64.0.0/255.248.0.0?


Thanks very much for the reply.

fieldtechnologies Mon, 03/15/2010 - 17:04
User Badges:


UPDATE:


I tried creating another VPN connection on the RV042.


Setup the same as the first VPN connection, only difference is:


Local Group Security: 10.64.0.0/255.248.0.0

Remote Group Security: 10.64.0.0/255.248.0.0


It gives me a warning saying: The settings of local group security conflict with remote security group, but I can still click ok and save.


Then I went on the other router Sonicwall and simply added the second subnet (10.64.0.0/255.248.0.0) to the existing VPN connection, the sonicwall supports this.


To my surprise the second VPN connection works and was established. So right now I have both connections connected.


Unfortunately, when I try to pass 10.64 traffic through the VPN it is not working. Still getting the same thing on the Cisco/Linksys system error log as well:


Mar 15 16:55:30 2010    VPN Log   Quick Mode I1 message is unacceptable because it uses a previously  used Message ID 0xe6410b55 (perhaps this is a duplicated packet)
Mar 15 16:56:03 2010    VPN  Log   [Tunnel Negotiation Info] <<< Responder  Received Quick Mode 1st packet
Mar 15 16:56:03 2010    VPN  Log   Cannot respond to IPsec SA request because no connection  is known for  10.64.0.0/13===99.40.46.241...64.87.28.110===192.168.1.0/24


Seems that traffic is being passed by the Sonicwall, but the Cisco/Linksys is tossing it away. Any other ideas? Thanks a lot.

Gerald Vogt Tue, 03/16/2010 - 04:01
User Badges:
  • Bronze, 100 points or more

What you are trying to do is not possible with the RV042. It's a limitation of the RV042 that it is not possible to define multiple subnets as local or remote security group. Do to that you are limited to a IPSec tunnels which contain exactly one local/remote security group subnet. As the RV042 only supports plain IPSec tunnels it is not possible to route additional traffic through the tunnel. Routing does not change the source/destination IP addresses of an IP packet and thus those packets won't match the local/remote security groups thus they won't be tunneled.


That's why you see those "192.168.0.0/24===99.40.46.241.  ..64.87.28.110===10.64.0.0/13" and "10.64.0.0/13===99.40.46.241...64.87.28.110===192.168.1.0/24" messages.


The first one tells you that there was an IP packet from 192.168.0.0/24 to 10.64.0.0/13 for which there is no matching IPSec tunnel (i.e. no matching local/remote security group definition).

The second one tell you that there was an IP packet from 10.64.0.0/13 to 192.168.1.0/24 but again there is no matching IPSec tunnel.


This is a limitation of the RV042. Unless you are able to match everything within a single local/remote security group you basically have no chance. You should consider splitting the subnets to locations, e.g use 192.168 addresses on one end and 10 addresses on the other end. The way you have split it up at the moment won't work with the RV042.


I wish Cisco would add GRE on the RV series. That would make things so much easier...

fieldtechnologies Tue, 03/16/2010 - 12:56
User Badges:

Gerald,


Thanks for the reply. I acutally got this working by creating two VPN connectin on the Cisco. Basically I have:


VPN #1: Local: 192.168.0.0/255.255.255.0

             Remote: 192.168.1.0/255.255.255.0


VPN #2: Local: 192.168.0.0/255.255.2555.0

             Remote: 10.24.0.0/255.248.0.0


Then on my sonicwall I only have ONE vpn connection, but both remote subnets added: 192.168.0.0/255.255.255.0 and 10.24.0.0/255.248.0.0.


This works greats, both VPN connections are active, and I am able to pass traffic through. Thanks to all that replied, hopefully this will help others.

bramblett Mon, 08/16/2010 - 10:18
User Badges:

Thank you! THANK YOU!!!


I haven't fully fleshed-out my config, but it is working here.  I had been working on this frustrating issue for several days trying different configs and different hardware solutons before i finally stunbled on the "Multiple connections for multiple subnets" solution.  THANKS!!


For others that might read this:

Don't forget that you will need to enter static routes into each end if there is more than one hop to the systems that will be using the site to site connection.

One of the key elements that is not included in the manuals is that on the RVS4000 the "remote group" can be any subnet, not just the subnet that is on the LAN interface of the RVS4000.  This post finally had some conclusive evidence of that which I inferred from the previous reply.



E-mail me if you have any questions: (remove all the number 4s for the valid address)

[email protected]



Some additional tags so that in the future others won't have as hard a time finding this as I did:

RVS4000 VPN to RVS4000 VPN

Site to site IPSec VPN Cisco RVS4000

RVS4000 IPSEC VPN Remote Group