cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
0
Helpful
6
Replies

rv110w acl

Barrylw65
Level 1
Level 1

Hello. I have a question. I've set up up a site to site VPN connection using the RV110W. The tunnel works fine if I click connect it connects ok with no queries. But where in the settings of the router do I tell it to deny NAT for packets that need to be routed via the VPN connection? I cannot ping the other end of the VPN so I assume its just going out over the internet. Sorry if this is a dumb question I'm pretty new to this.

 

Please help.

 

Thanks

 

Barry

6 Replies 6

chrebert
Level 4
Level 4

Hello Barry,

On the small business routers you don't have to tell them not to NAT across the tunnel, any traffic you have set as  remote network will be sent across without being NATed.  

One test is to try and ping the LAN IP of the remote router, if that works the tunnel is up and running.  Most of the time when you can't ping devices on the other side of the tunnel it is because of the firewall on the device, especially Windows hosts.  Try disabling the firewall on the host your trying to ping.  Also check to make sure the default gateway of the devices you are testing with are set to the routers on each end.

We can also test to see if your packets are being routed out to the internet instead of through the tunnel by running a traceroute to something out on the internet.  If the trace goes infinite past 30 then something has routed that packet incorrectly, or it can't find a way back.

Let me know how that goes and if it still isn't working go ahead and post your settings for each side of the tunnel, especially the local and remote groups.

Thank you for choosing Cisco,

Christopher Ebert - Advanced Network Support Engineer

Cisco Small Business Support Center

*please rate helpful posts*

Hello Chrsitopher.

Thanks for your reply.

 

Unfortunately I do not have access to the remote host. It is a hosted private company to a government gateway. I have only been given the settings to use for the VPN as follows.

 

IKE phase 1

DH group 2

IKEv1

IKE lifetime 86400

Agressive mode no

Encryption AES256

Integrity SHA-1

Authentication pre-shared

 

Phase 2

PFS yes

PFS group 2

Lifetime 3600

Encryption AES256

Integrity SHA-1

I've found out that the tunnel is failing at phase 2. Apparently the details at each end match for what I can configure. But I'm wondering if there is something that is not supported on this router that the other end of the tunnel is looking for. Part of their instructions state that we should not use NAT traversal. I know this router doesn't support this so would this be a problem?

 

The remote host is ping disabled and the traceroute only gets as far as our router and the times out. But I assume that's because of the same reason I can't ping them.

 

Attached is the config file from our router.

 

Thanks for your help and I apologise for any dumbness on my part. smiley

Thank you for that information,

When you say the traceroute gets as far as your router and then times out, does it just stop, or does it go infinite with just stars for every hop?

You mention the tunnel fails at phase 2, do you have the logs from the router?  You may have to enable them first, then try connecting a few times and post the logs here.  They aren't always clear but often help point us in the right direction.

Christopher Ebert

Hello Christopher.

 

The traceroute just goes infinite stars for every hop.

 

Attached are the logs.

 

Thanks for the help.

 

Barry

Hello Barry,

Thank you for posting those logs.

Your logs are a bit empty, you may want to check under logging settings and enable a few more logging levels.

However, from the messages we do see this one jumps out at me:

using isakmp#1 msgid:d4524f7a proposal=AES(12)_256-SHA1(2)_1024 pfsgroup=no-pfs

It looks like the other side is requesting AES256, SHA1, and no PFS group.  I know you said that the settings were given to you by the other side but it looks like it is not using PFS.  You can try disabling that on your end.

The only other message talks about no proposal chosen, which usually means the two endpoints cannot agree on settings to use, meaning something doesn't match up.  You may want to get the other side to double check the settings they gave you.

Hope that helps,

Christopher Ebert

Ismael Arroyo
Level 1
Level 1

/
 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: