Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[RV110W] VPN site-to-site between 2x RV110W

Greetings everyone,

 

I have two RV110W and I'm trying to configure a VPN connection site-to-site. After configuring my routers, I still got the state "IPSec SA Not Established". My two RV110W are both behind a modem/router where a "DynDNS" has been configured.

 

[RV110W]------[Router A]------[Internet]------[Router B]------[RV110W]

 

----------------------------
---------- SITE A ----------
----------------------------

Endpoint Information
Remote Endpoint: FQDN
Remote WAN (Internet) IP Address: siteB.ddns.net
Local WAN (Internet) IP Address: 192.168.1.11

Secure Connection Remote Accessibility
Remote LAN (Local Network) IP Address: 10.10.20.1
Remote LAN (Local Network) Subnet Mask: 255.255.255.0
Local LAN (Local Network) IP Address: 10.10.10.1
Local LAN (Local Network) Subnet Mask: 255.255.255.0

----------------------------
---------- SITE B ----------
----------------------------

Endpoint Information
Remote Endpoint: FQDN
Remote WAN (Internet) IP Address: siteA.ddns.net
Local WAN (Internet) IP Address: 192.168.1.12

Secure Connection Remote Accessibility
Remote LAN (Local Network) IP Address: 10.10.10.1
Remote LAN (Local Network) Subnet Mask: 255.255.255.0
Local LAN (Local Network) IP Address: 10.10.20.1
Local LAN (Local Network) Subnet Mask: 255.255.255.0

 

For my routers A and B, I translated the ports UDP/TCP 500, 4500, 50 and 51 on each RV110W (192.168.1.11 and 192.168.1.12). Do you see something wrong in my configuration?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi williamflynn715,It seems

Hi williamflynn715,

It seems that the appropriate solution for allowing the RV110Ws to reach each other would be to configure One to One NAT on Routers A and B. Your RV110W devices are connected to Routers A and B, which assign internal, private IP addresses via Network Address Translation (NAT). The NAT is useful in protecting internal hosts by hiding addresses when accessing public services, and allows many devices to economically share the same public IP address. However, in order to effectively allow the RV110W to be accessed through inbound connections from external networks, it is important to configure a One to One NAT that binds a public address to the private IP addresses of the RV110Ws. This would permit reachability between the RV110W’s, by making them appear to have public IP addresses, despite being connected behind Routers A and B.

Are your Routers A/B Cisco routers as well? Some routers do not have the One to One NAT feature available. For example, the RV110W does not include the feature. However, this is not of concern because One to One NAT will need to be configured for Routers A and B).

6 REPLIES
New Member

Hello williamflynn715,I am

Hello williamflynn715,

I am happy to help you with this. It seems like your local WAN IP Address is not correct.

192.168 is usually a LAN IP; your WAN IP would be something that your device uses publicly. Even though these devices are behind a modem, they would still need the public (WAN) IP to be input somewhere so they can access each other.

Please login to the Web Configuration Utility and choose Status > System Summary. In the IPv4 Configuration section, verify what the WAP IP address is. Check this on your remote and local device. 

Please let me know if this helps, or if you have any more questions.

Regards,

Raquel

New Member

Hello rockrobi, Thanks for

Hello rockrobi,

 

Thanks for your reply. I checked the WAN IP address from Status > System Summary and I got this for each site:

Site A

WAN (Internet) Information  details
IPv4 Address:192.168.1.11
State:Up

 

Site B

WAN (Internet) Information  details
IPv4 Address:192.168.1.12
State:Up

 

And in all case, I can't change the local WAN IP on my VPN configuration so I don't think this is the problem.

New Member

Hello williamflynn715,Thank

Hello williamflynn715,

Thank you for the information.

Try matching both end settings to be exactly the same. For example, for Site A you have Local WAN (Internet) IP Address: 192.168.1.11. And for Site B you have Remote WAN (Internet) IP Address: siteA.ddns.net. Since the Remote WAN IP for Site B is the Local WAN IP for Site A, these two fields should match. The same is true with most configurations such as this. The ends need to match exactly.

I hope this helps, and again, please let me know if you have more questions.

Thanks,

Raquel

New Member

I can't change siteA.ddns.net

I can't change siteA.ddns.net with 192.168.1.11 because this domain name is linked to the public address of my router A (defined by my ISP). In fact, my routers A & B are internet boxes supplied by my ISP. They have an interface with a public address and another one for my private network that I can configure with DNS, DHCP and other integrated services.

 

For being more explicit with my network map:

 

Router A

WAN: @public_address_A

DynDNS: siteA.ddns.net

LAN: 192.168.1.x

Devices connected: several + RV110W (192.168.1.11)

 

Router B

WAN: @public_address_B

DynDNS: siteB.ddns.net

LAN: 192.168.1.x

Devices connected: several + RV110W (192.168.1.12)

 

RV110W A

WAN: 192.168.1.11

LAN: 10.10.10.x

 

RV110W B

WAN: 192.168.1.12

LAN: 10.10.20.x

 

For example, I was able to create a VPN connection with my RV110W by using the PPTP protocol. But for that, I had to create an entry in the NAT/PAT option of my Router A to translate the port 1723 to my RV110W.

I tried to do the same by translating ports UDP 50, 51, 500 and 4500 of my Router A to my RV110W A (and same thing for Router B to RV110W B) but it seems something missing (other ports to open?) or is wrong. Or perhaps I can't do that with IPsec protocol... but it would be surprising.

New Member

Additionally, Is there a

Additionally, 

Is there a reason you need routers A and B? It seems like if you want the RV110Ws to be endpoints in this configuration, they will need to be the unobstructed by routers A and B. Also, please confirm that you have VPN passthrough enabled on all devices. You can do this in the VPN section of each configuration utility.

Thanks,

Raquel

New Member

Hi williamflynn715,It seems

Hi williamflynn715,

It seems that the appropriate solution for allowing the RV110Ws to reach each other would be to configure One to One NAT on Routers A and B. Your RV110W devices are connected to Routers A and B, which assign internal, private IP addresses via Network Address Translation (NAT). The NAT is useful in protecting internal hosts by hiding addresses when accessing public services, and allows many devices to economically share the same public IP address. However, in order to effectively allow the RV110W to be accessed through inbound connections from external networks, it is important to configure a One to One NAT that binds a public address to the private IP addresses of the RV110Ws. This would permit reachability between the RV110W’s, by making them appear to have public IP addresses, despite being connected behind Routers A and B.

Are your Routers A/B Cisco routers as well? Some routers do not have the One to One NAT feature available. For example, the RV110W does not include the feature. However, this is not of concern because One to One NAT will need to be configured for Routers A and B).

568
Views
4
Helpful
6
Replies
CreatePlease login to create content