Cisco – RV325 to RV320 site to site ipsec tunnel

ciscoipsecsite-to-site-vpn

Gateway to gateway tunnel from RV325 to RV320 (either direction) won't connect. I can't find any sort of error log.

Both are WAN1 (only one connected) and IKE PSK.

Both local and remote groups are IP only. RV325 local == RV320 remote for IP and subnet. RV325 remote == RV320 local as well.

IPSec settings are identical. I've tried a few variations keeping them identical. I read another post where someone said he'd never gotten it to work with Perfect Forward Security on, so that's off.

Am I missing something?

Best Answer

The simplest way (yet secure) to implement a IPSec VPN is by using IKEv1 in Main Mode (you can see the scenarios to use aggressive mode).

So, assuming you are trying to use IKEv1 Main Mode:

First of all, IKEv1 phase 1 must be negotiated. IPSec only will be negoatiated after phase 1 is OK. (Phase 1 is also called ISAKMP).

To negotiate phase 1, you need to match the 'H.A.G.L.E' in both equipments:

Hashing (MD5/SHA1)
Authentication (PSK)
Group (Diffie Hellman group 1/2/5)
Lifetime (28000, 3600, you choose)
Encryption (3DES/AES/AES-256)

After this, the IPSec configs must also match in the following both equipments:

Hashing (MD5/SHA1)
Protocol (ESP/AH)
Encryption (3DES/AES/AES-256)
Lifetime (28000, 3600, you choose)

Using PFS in IPSec demands you to choose a Diffie-Hellman Group on IPSec too.

If all of this match, you should have no problem. The PSK and local/remote networks also must be ok.

Upload an image of the VPN config screen.

Related Solutions

Cisco ASA 5505 (8.05): asymmetrical group-policy filter on an L2L IPSec tunnel

From my reading of the referenced document the ACL you currently have in place should be allowing the remote host to access your local host on port 22 but not your local host to access the remote host on port 22. According to the document the ACLs are stateful, so when a packet arrives from the remote host destined for tcp port 22 it matches the ACL and is permitted. Because it is stateful the return traffic is also permitted. When the local host tries to establish a connection to tcp port 22 on the remote host the source is a random high port on the local host which means it doesn't match the acl requirement of a packet to or from the localhost on port 22 so it should be dropped by the ACL. An ACL entry is only truly bi-directional if no tcp or udp port is specified. The ACL below should implement what you want to achieve:

access-list ACME_FILTER extended permit tcp host 10.0.0.254 eq 22 host 192.168.0.20
access-list ACME_FILTER extended permit icmp host 10.0.0.254 host 192.168.0.20

RV082 Gateway-Gateway VPN Won’t Connect

I have a site to site VPN beween two rv082's also. Checking my settings they show on both sides:

Local Security Gateway Type: IP Only
IP Address: external address
Local Security Group Type: Subnet
IP Address 192.168.188.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: external address
Remote Security Group Type: Subnet
IP Address 192.168.166.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600

Aggressive Mode: Disabled
Dead Peer Detection (DPD): Enabled

The only difference I see is agressive mode, but you tried that. Obviously you have a matching preshared key. Interface is WAN1 on both. So you don't have anything glaring - but maybe disable aggressive mode. I also remember having to delete and recreate them a few times to get it connected. Have you tried that?

Best Answer

Related Solutions

Cisco ASA 5505 (8.05): asymmetrical group-policy filter on an L2L IPSec tunnel

RV082 Gateway-Gateway VPN Won’t Connect

Related Topic