Hello. I have a question. I've set up up a site to site VPN connection using the RV110W. The tunnel works fine if I click connect it connects ok with no queries. But where in the settings of the router do I tell it to deny NAT for packets that need to be routed via the VPN connection? I cannot ping the other end of the VPN so I assume its just going out over the internet. Sorry if this is a dumb question I'm pretty new to this.
On the small business routers you don't have to tell them not to NAT across the tunnel, any traffic you have set as remote network will be sent across without being NATed.
One test is to try and ping the LAN IP of the remote router, if that works the tunnel is up and running. Most of the time when you can't ping devices on the other side of the tunnel it is because of the firewall on the device, especially Windows hosts. Try disabling the firewall on the host your trying to ping. Also check to make sure the default gateway of the devices you are testing with are set to the routers on each end.
We can also test to see if your packets are being routed out to the internet instead of through the tunnel by running a traceroute to something out on the internet. If the trace goes infinite past 30 then something has routed that packet incorrectly, or it can't find a way back.
Let me know how that goes and if it still isn't working go ahead and post your settings for each side of the tunnel, especially the local and remote groups.
Thank you for choosing Cisco,
Christopher Ebert - Advanced Network Support Engineer
Unfortunately I do not have access to the remote host. It is a hosted private company to a government gateway. I have only been given the settings to use for the VPN as follows.
IKE phase 1
DH group 2
IKE lifetime 86400
Agressive mode no
PFS group 2
I've found out that the tunnel is failing at phase 2. Apparently the details at each end match for what I can configure. But I'm wondering if there is something that is not supported on this router that the other end of the tunnel is looking for. Part of their instructions state that we should not use NAT traversal. I know this router doesn't support this so would this be a problem?
The remote host is ping disabled and the traceroute only gets as far as our router and the times out. But I assume that's because of the same reason I can't ping them.
Attached is the config file from our router.
Thanks for your help and I apologise for any dumbness on my part.
When you say the traceroute gets as far as your router and then times out, does it just stop, or does it go infinite with just stars for every hop?
You mention the tunnel fails at phase 2, do you have the logs from the router? You may have to enable them first, then try connecting a few times and post the logs here. They aren't always clear but often help point us in the right direction.
Your logs are a bit empty, you may want to check under logging settings and enable a few more logging levels.
However, from the messages we do see this one jumps out at me:
using isakmp#1 msgid:d4524f7a proposal=AES(12)_256-SHA1(2)_1024 pfsgroup=no-pfs
It looks like the other side is requesting AES256, SHA1, and no PFS group. I know you said that the settings were given to you by the other side but it looks like it is not using PFS. You can try disabling that on your end.
The only other message talks about no proposal chosen, which usually means the two endpoints cannot agree on settings to use, meaning something doesn't match up. You may want to get the other side to double check the settings they gave you.
Configure DHCP WAN Settings on the RV34x Router
A Wide Area Network (WAN) is a network that covers a broad area. A user or network of users can connect to the Internet through an Internet Service Provider (ISP) who offer...
Configure Static IP WAN Settings on the RV34x Router
A Wide Area Network (WAN) is a network that covers a broad area. A user or network of users can connect to the Internet through an Internet Service Provider (ISP) who ...