cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2915
Views
0
Helpful
16
Replies

CISCO RV180 - Site to Site Basic Steps

Slava Zhilov
Level 1
Level 1

Good day!

May I ask about basic steps of creating a VPN tunnel between two CISCO RV180 routers. I'm trying to connect two remote local networks located in two different cities. Network A has a webserver which could be accessed only locally. I would like Network B users access to that server. Can the RV180 router located at Network B be a VPN clinet for RV180 located at Network A? Or they both should be gateways? If Network B has no external IP adress is that a problem? Do I need to create users for that connection or only IKE and VPN policy?

3 Accepted Solutions

Accepted Solutions

Eric Moyers
Level 7
Level 7

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.

This is a comon question. Here is a document that should assist you in configuring the tunnel.

For best results I would use both routers as Gateways and both need to have external IPs. If you do a VPN tunnel between the two RV180s, you do not have to create users. Just the policies.

Please let me know how you do.

Thanks

Eric Moyers    .:|:.:|:.

Cisco Small Business US STAC Advanced Support Engineer

Wireless Subject Matter Expert

CCNA, CCNA-Wireless

*Please rate the Post so other will know when an answer has been found.

View solution in original post

Slava,

You can enable Split DNS in the tunnel settings. (VPN Policy) From the Help file on that page:

  1. In the Split DNS section, check the Enable box to allow the Cisco RV180/RV180W to find the DNS server of the remote router without going through the ISP (Internet). Otherwise, uncheck the box to disable this feature. If you enable Split DNS, also enter these settings:
    • Domain Name Server 1—Enter a Domain Name server IP address to resolve the domain that you enter in the Domain Name 1 field.
    • Domain Name Server 2—Optionally, enter a Domain Name server IP address to resolve the domain that you enter in the Domain Name 2field.
    • Domain Name 1—Enter a domain name, which will be queried only using the DNS server configured in the Domain Name Server 1 field.
    • Domain Name 2—Enter a domain name, which will be queried only using the DNS server configured in the Domain Name Server 2 field.

- Marty

View solution in original post

Slava,

You are correct, you can increase the level of encryption and https is no longer necessary. For twice the security you can still use https if you wish.

- Marty

View solution in original post

16 Replies 16

Eric Moyers
Level 7
Level 7

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.

This is a comon question. Here is a document that should assist you in configuring the tunnel.

For best results I would use both routers as Gateways and both need to have external IPs. If you do a VPN tunnel between the two RV180s, you do not have to create users. Just the policies.

Please let me know how you do.

Thanks

Eric Moyers    .:|:.:|:.

Cisco Small Business US STAC Advanced Support Engineer

Wireless Subject Matter Expert

CCNA, CCNA-Wireless

*Please rate the Post so other will know when an answer has been found.

Thank you very much, Eric. The document is good and it actually embraces all the needed steps. Just one more question. Can the DNS service located at the main office local network be used by the remote office so staff from remote office don't have to type ip address in their web browser but use the FQDN of that server or local server name instead?

Slava,

You can enable Split DNS in the tunnel settings. (VPN Policy) From the Help file on that page:

  1. In the Split DNS section, check the Enable box to allow the Cisco RV180/RV180W to find the DNS server of the remote router without going through the ISP (Internet). Otherwise, uncheck the box to disable this feature. If you enable Split DNS, also enter these settings:
    • Domain Name Server 1—Enter a Domain Name server IP address to resolve the domain that you enter in the Domain Name 1 field.
    • Domain Name Server 2—Optionally, enter a Domain Name server IP address to resolve the domain that you enter in the Domain Name 2field.
    • Domain Name 1—Enter a domain name, which will be queried only using the DNS server configured in the Domain Name Server 1 field.
    • Domain Name 2—Enter a domain name, which will be queried only using the DNS server configured in the Domain Name Server 2 field.

- Marty

Hello, Eric!

I just realized... what if I'm behind NAT? Do I still put external IP addess to Local WAN IP or I put actual local WAN IP which is not external?

I made DMZ for one of the routers but for the other one I can't do that, I can only foward ports, what ports do I need to forward? Same like I did for VPN users? Or Site-to-site using different ports?

Slava,

If possible, always bridge all traffic to the VPN router so it has a true WAN IP on the WAN port.

It may be possible to establish QuickVPN and IPSec Gateway to Gateway tunnels by forwarding ports 443, 60443 TCP and 500, 4500 UDP to the WAN IP of the RV180. This configuration is not officially supported by Cisco.

- Marty

Thank you very much for your patience. I have now got the connection established!

However when I try to go to https://remote_office_router from the main office I get an error on certificate: "You have recieved an invalid cerificate... (Error code: sec_error_reused_issuer_and_serial)". That;s using Firefox.

The router in remote office is in DMZ and all incoming traffic bridged to it. I did port-forward at the the main office router site but in this case this is outgoing connection for the main office so no ports should be matter, all outgoing connections are allowed. Ping from main office to the remote office local address is going fine and also telent to that address on 443 says "Connected..."

Is there anything I can do to get there by the web browser?

Slava,

Is https://remote_office_router the LAN or WAN IP of that router? (I understand that the router has a LAN IP on the WAN port from the other router)

If the tunnel is established you should be able to reach both routers using their LAN IP address.

- Marty

Its LAN address. I have the same toward the other end too. Could that be a firewall settings? Is there any log I can check to debug this?

Slava,

Have you tried IE or Chrome?

- Marty

Chrome made it! Thank you very much.

I'm now back to Split DNS function. I have set up Split DNS at the Remote Office router at the VPN policy. I have set:

Domain Name Server 1: 10.10.10.2 (Main Office Linux Server)

Domain Name 1: server.local

When I try to ping server.local I don't get the name resolved. If I try nslookup server.osa it says that RV180 with address 20.10.10.1 (remote office LAN) DNS Request timed out.

If I try nslookup server.local 10.10.10.2 (i.e. show explicitrly what DNS server to use) I resoves it correctly.

So it seems like the DNS server from the main office responds but the router from the remote office do not route DNS requests to that.

Is there something I did wrong in this whole sequence?

Slava,

Is 10.10.10.2 the DNS server entered in the Main Office router?

- Marty

I did everything once again and it is working now. Thank you very much for all your help!

So I now just to summaraze this - I have now a tunnel created and since it is encrypted I don't necessarily need to use https inside of it. The VPN policy says

Encryption

AES-128

If I want a stronger encryption I just need to change this setting to 256, 512 etc. at the both ends on VPN policy and it will replace https even better so I can just use plain http.

My I correct on all that?

Slava,

That's great news! Please mark this thread as answered to help people in the future with the same issue.

- Marty

Thank you, I just did.

Still a little question - how do I determine what encryption is used and whether it is used at all?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: