- Cisco Community
- Technology and Support
- Small Business Support Community
- Routers - Small Business
- RV220w site-to-site VPN behind other routers?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
RV220w site-to-site VPN behind other routers?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2013 02:53 AM
Hello,
I'm trying to set up a site-to-site VPN tunnel between our branch office and our main office, both using RV220w routers, but the one at the branch office is behind a second router. This means that the main office router has a public IP (x.y.z.200, directly to the Internet - we can call this "router A"), while the branch office router has a local IP (192.168.1.32, via a different router - let's call the branch office RV220w "router B").
What do I need to set up on both ends for this setup to work?
We want all traffic at our branch office to be routed through the main office network, to ensure the branch office has access to the main office resources without each branch office client computer having to VPN in separately.
Router A is running on firmware 1.0.3.5, while router B has firmware 1.0.4.17 (since it's a brand new setup, and didn't have any existing access rules to mess up), and I figured the IPsec Basic VPN Setup would be the key on both ends. I just can't figure out exactly what to put in. Based on the logs on router B, it would seem that it attempts a two-way connection (ie. router A might attempt to connect to router B's LAN IP address), which wouldn't work (router A's IP address has been replaced by "x.y.z.200" in this log listing, for the sake of security):
2013-08-30 10:16:49: [rv220w][IKE] INFO: Adding IPSec configuration with identifier "Main-office"
2013-08-30 10:16:49: [rv220w][IKE] INFO: Adding IKE configuration with identifier "Main-office"
2013-08-30 10:17:07: [rv220w][IKE] INFO: accept a request to establish IKE-SA: x.y.z.200
2013-08-30 10:17:07: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:17:07: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:17:07: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:17:07: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:17:38: [rv220w][IKE] ERROR: Invalid SA protocol type: 0
2013-08-30 10:17:38: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2013-08-30 10:17:44: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:17:44: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:18:07: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 3c3f5b067600073f:0000000000000000
2013-08-30 10:18:15: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:21:11: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:21:11: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:21:11: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:21:11: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:21:11: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:21:42: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:22:11: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. e09788d81dd19af9:0000000000000000
2013-08-30 10:22:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:22:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:22:14: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:22:14: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:22:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:22:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:23:14: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. f1623847b0a3009f:0000000000000000
2013-08-30 10:26:27: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:26:27: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:26:27: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:26:27: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:26:27: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:26:58: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:27:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:27:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:27:27: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 1139fbb8ce5b48ac:0000000000000000
2013-08-30 10:27:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:29:53: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:29:53: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:29:53: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:29:53: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:29:53: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:30:24: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:30:43: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:30:43: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:30:53: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 48bd23b0ee8b5ae0:0000000000000000
2013-08-30 10:31:14: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:36:29: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:36:29: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:36:29: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:36:29: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:36:29: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:37:00: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:37:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:37:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:37:29: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 06ac9649e4d2ba8e:0000000000000000
2013-08-30 10:37:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:39:15: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:39:15: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:39:15: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:39:15: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:39:15: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:39:46: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:40:15: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. f60b1e9d4604e39e:0000000000000000
2013-08-30 10:45:44: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:45:44: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:45:44: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:45:44: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:45:44: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:46:15: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:46:32: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:46:32: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:46:44: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 190c8d7c6f4a706b:0000000000000000
2013-08-30 10:47:03: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:47:14: [rv220w][IKE] INFO: Using IPsec SA configuration: 192.168.16.1/24<->192.168.15.199/24
2013-08-30 10:47:14: [rv220w][IKE] INFO: Configuration found for x.y.z.200.
2013-08-30 10:47:14: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 192.168.1.32[500]<=>x.y.z.200[500]
2013-08-30 10:47:14: [rv220w][IKE] INFO: Beginning Identity Protection mode.
2013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 4
2013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 8
2013-08-30 10:47:14: [rv220w][IKE] INFO: [ident_i1send:184]: XXX: setting vendorid: 9
2013-08-30 10:47:45: [rv220w][IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1. ESP x.y.z.200->192.168.1.32
2013-08-30 10:48:14: [rv220w][IKE] ERROR: Phase 1 negotiation failed due to time up for x.y.z.200[500]. 79546b1e76be8dbb:0000000000000000
Any ideas to what would be the correct way to make this work?
- Labels:
-
Small Business Routers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2013 09:11 AM
Dear Kim Andre,
Thank you for reaching the Small Business Support Community.
You must use either public IP addresses or fully qualified domain name (FQDN when the public IP is provided dinamically by the ISP) on both ends VPN configurations, and in your case the "router B" has a private IP, not routable over the internet, so I am afraid it is not going to work the way you desire.
So if for example the gateway router on the branch office is a xDSL or cable modem terminal and this is why you need it, what you can do is set it as a bridge (no public IP manually configured) and have the RV220 do the PPPoE negotiation and public IP assigned so that you can use it on the VPN setup.
Below is a document I like about VPN setup on RV220 routers;
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=4710
In case your ISP provided router is DSL one and they instruct you how to set it up in bridge mode and provide you the PPPoE settings, please refer to page 34, chapter 2 on the admin guide for configuration details;
http://www.cisco.com/en/US/docs/routers/csbr/rv220w/administration/guide/rv220w_admin_v1.0.1.0.pdf
The main issue here is that you need both public IP addresses on the VPN setup, otherwise it is not going to work. Please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2013 01:15 AM
Ah, I see. I feared that might be the case, actually (based on the settings available).
Problem is, the DSL modem/router provided by the ISP (which is in front of router B) serves the entire building as a shared Internet connection, and doesn't just connect the branch office. The DSL router is also pre-configured without the need for PPPoE (the subscription is hard-coded to the phone line ID, I believe).
Is there another way to connect the entire branch office network to the main office VPN (on the router level), or do we just have to live with each client laptop having to connect to the VPN individually?
Regards,
Kim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide